Indeed Bug Bash

About Indeed

More people find jobs on Indeed than anywhere else. Indeed is the #1 job site in the world and allows job seekers to search millions of jobs in more than 60 countries and 28 languages. Over three million employers use Indeed to find and hire new employees. More than 300 million unique visitors each month search for jobs, post resumes, and research companies on Indeed, and Indeed delivers 2.5 times more hires than other branded job sites combined. For more information, visit indeed.com.

Background Information

“Bug Bashes” are hacking competitions organized by Bugcrowd that connect an organization with top security researchers—sometimes called ethical hackers—to crowdsource the discovery of hidden vulnerabilities in the form of an in-person, gamified event. These highly curated teams of security researchers possess a diverse arsenal of in-demand skills and collectively represent the most powerful intelligence available for modern use cases and emerging threats. Putting a group of them together in a room to do intense vulnerability discovery can yield impressive results–sometimes yielding hundreds of bugs within a single day.

Challenges

Indeed wanted to test recently released features such as their OneGraph API, Virtual Interview Platform, and the Indeed Hiring Platform. Testing was not limited to just new features, but also included their existing suite of web apps, APIs, and mobile apps.

Solution

Already a Bug Bounty customer, Indeed decided to double down on ensuring the resilience of its security posture by participating in a Bugcrowd Bug Bash in Las Vegas at one of the world’s top cybersecurity conferences. This live event leveraged the combined intelligence of some of the world’s top hackers to help secure Indeed’s expanding asset footprint. The hackers were specifically selected to hack on Indeed’s platform, based on their exceptional and relevant performance on the Bugcrowd Security Knowledge Platform™ over time. They gathered to collaborate and compete for rewards to find the most crucial vulnerabilities on the platform, to achieve Indeed’s end goal of securing their platform for their users.

Hackers invited to the Bug Bash were chosen based upon the scope of Indeed’s program using Bugcrowd’s CrowdMatch™, a proprietary machine-learning (ML) technology in the Bugcrowd Security Knowledge Platform. CrowdMatch gathered a precisely curated crowd with the exact skills, experience, and engagement necessary to identify and submit security vulnerabilities on Indeed’s platform. This technology expertly paired Indeed’s specific needs, environments, and use cases with specific researcher skill sets, interests, and availability. During the Indeed Bug Bash, researchers were more engaged and active because CrowdMatch aligned their skills and interests with Indeed’s program needs.

Why Bugcrowd was chosen

Indeed’s Security and R&D teams were impressed by the results of our first Bug Bash event with Bugcrowd’s global community of security researchers,” said Anthony Moisant, Chief Security Officer, and Chief Information Officer for Indeed. “With the help of the Bugcrowd community and platform, we’ve been able to continue strengthening our security posture and work together to protect the information of job seekers and employers.

Outcomes

Indeed’s security and engineering teams collaborated with researchers from around the world to secure Indeed’s mobile applications and user data. Researchers received reward payouts of up to $20,000 for each vulnerability identified, and over 63% of the vulnerabilities found were net new to Indeed’s bug bounty program.

As a longtime Bugcrowd customer, Indeed has rewarded more than 1,500 vulnerability submissions through its public bug bounty program with Bugcrowd.