Last updated: 04/26/2019
Security is very important to us and we appreciate the responsible, private disclosure of issues.
We pay $100 USD per accepted bug. Once we receive the bug reports we will take up to 14 business days to review and reply to them. If they meet our criteria we will pay $100 USD per unique bug reported.
The following bug types are specifically excluded from the bounty:
Any reports for 3rd-party systems
Descriptive error messages (e.g. Stack traces, application or server errors)
HTTP 404 codes/pages or other HTTP non-200 codes/pages
Banner disclosure on common/public services
Disclosure of known public files or directories, (e.g. robots.txt)
Clickjacking and issues only exploitable through clickjacking
Self-XSS and issues exploitable only through Self-XSS
CSRF on forms that are available to anonymous users (e.g. the contact form)
Tab nabbing ( see Google's response )
Stripping EXIF data from uploaded images
Logout Cross-Site Request Forgery (logout CSRF)
Presence of application or web browser "autocomplete" or "save password"
Issues that require physical access to the device to carry out the exploit
DMARC configuration not in quarantine or reject mode
WordPress XMLRPC or Rest API scripts not deleted (they are disabled as much as our host will allow)
Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.
Reports relating to the password policy
Any duplicate bug reports that we have previously received will be excluded.
Any bug reports for which the fix is not feasible will be excluded.
We encourage to focus on hubstaff.com, tasks.hubstaff.com, talent.hubstaff.com hosts.
When submitting a bug report please use firstname.lastname@example.org email and include as much information as possible (steps to reproduce, an explanation of why it is a bug, etc.).
Videos are encouraged.