This web page describes JobAdder’s policy for receiving reports related to potential security vulnerabilities in its products and services. This vulnerability disclosure policy applies to any vulnerabilities you are considering reporting to JobAdder.

We value those who take the time and effort to report security vulnerabilities according to this policy. However, at this stage, we do not offer monetary rewards for vulnerability disclosures.

Reporting

If you believe you have found a security vulnerability, please submit your report to us using the following email: dataprivacy@jobadder.com

In your report please include details of:

• Time and date of discovery
• URL and browser information including type and version where the vulnerability can be observed 
• Technical Description — provide what actions were being performed and the result in as much detail as possible;
• Your Contact Information - best method to reach you

If you report a vulnerability under this policy, we ask that you keep it confidential while we investigate the issue.

What to expect

After you have submitted your report, the appropriate personnel will contact you to follow-up within 5 business days. We will notify you at each stage of the investigation. When the reported vulnerability is remediated, you may be invited to confirm that the solution covers the vulnerability adequately.

Guidance

In searching for a vulnerability and or obtaining evidence of the vulnerability to report it to us, you must not:

• Break any applicable law or regulations.
• Access unnecessary, excessive or significant amounts of data.
• Modify data in our systems or services.
• Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
• Attempt or report any form of denial of service, e.g. overwhelming a service with a high volume of requests.
• Share, redistribute or fail to properly secure data retrieved from the systems or services
• Disrupt our services or systems.
• Submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”, such as:
  • Cookie flags ie. Secure, HTTPOnly.
  • Email configuration ie. SPF, DKIM, DMARC.
  • Error pages ie. verbose error messages, stack traces, invalid status codes.
  • Admin or maintenance pages ie. monitoring system login pages, pages with no sensitive information.
  • Clickjacking ie. missing X-Frame-Options header.
  • Non-sensitive exposed API keys
  • Absent or misconfigured HTTP headers ie. Content-Security-Policy, Strict-Transport-Security, X-XSS-Protection, Cache-Control.
  • Configuration that is not directly exploitable ie. weak TLS ciphers, password policy, session expiration, certificate pinning.
  • Vulnerabilities exclusive to outdated, unpatched and unsupported browsers, mobile applications and mobile operating systems.
• Communicate any vulnerabilities or associated details other than by means described in this document.
• Social engineer, ‘phish’ or physically attack JobAdder employees or its users.
• Demand financial compensation in order to disclose any vulnerabilities.

You must:

• Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).
• Always comply with data protection laws and must not violate the privacy of our users, staff, contractors, services or systems.

Responsible disclosure contributors

The names or aliases of individuals and organisations, that wish to be identified, who contribute to our security vulnerability disclosure program will be published with their permission and shown below.