Bug Bounty Program
Security is a top priority at Talentpilot. We value the work of independent security researchers and appreciate responsible reports that help us protect our users, customers, and systems.
Responsible disclosure, done right
Our bug bounty program is intended to encourage responsible vulnerability disclosure. If you believe you have discovered a security issue affecting Talentpilot, please report it to us as soon as possible.
We ask that all researchers act in good faith, avoid privacy violations, avoid disruption to our services, and give us reasonable time to investigate and resolve reported issues before public disclosure.
Contact
Please send security reports to:
security@talentpilot.comInclude your preferred contact method and whether you would like to be publicly acknowledged.
Our security contact details are also published at:
app.talentpilot.com/.well-known/security.txtWhat's in scope
Only vulnerabilities that affect systems owned, operated, or explicitly listed by Talentpilot are eligible. The following asset is currently in scope:
What we are — and aren't — looking for
This list is not exhaustive. If you believe an issue has a real security impact, we encourage you to report it.
Eligible vulnerabilities
- ✓Authentication or authorization bypass
- ✓Account takeover vulnerabilities
- ✓Remote code execution
- ✓Server-side request forgery
- ✓SQL injection
- ✓Cross-site scripting with meaningful security impact
- ✓Cross-site request forgery with meaningful security impact
- ✓Sensitive data exposure
- ✓Privilege escalation
- ✓Business logic vulnerabilities with clear impact
- ✓Insecure direct object references
- ✓Security misconfigurations that expose sensitive systems or data
Generally out of scope
- ×Vulnerabilities in third-party services not operated by Talentpilot
- ×Reports based only on automated scanner output without a working proof of concept
- ×Missing security headers without demonstrated impact
- ×Clickjacking on pages with no sensitive actions
- ×Self-XSS without a realistic attack scenario
- ×Social engineering, phishing, or physical attacks
- ×Spam, brute-force, or rate-limit testing that may disrupt services
- ×Issues requiring malware, stolen credentials, or compromised devices
- ×Vulnerabilities affecting outdated browsers or unsupported platforms
- ×Publicly known vulnerabilities without evidence our systems are affected
- ×Disclosure of non-sensitive metadata or version information without exploitability
- ×Denial-of-service or resource exhaustion attacks
When testing, you must
- ✓Use only accounts that you own or have explicit permission to use
- ✓Avoid accessing, modifying, deleting, or exfiltrating data that does not belong to you
- ✓Stop testing immediately if you encounter sensitive data, and report it to us
- ✓Avoid disrupting, degrading, or damaging our services
- ✓Avoid automated high-volume testing unless explicitly approved
- ✓Avoid social engineering, phishing, or attacks against our employees, users, or partners
- ✓Keep vulnerability details confidential until our investigation and remediation are complete
What a great report includes
Please include enough detail for our team to reproduce and validate the issue.
Clear description
A clear description of the vulnerability.
Affected target
The affected URL, endpoint, product, or feature.
Reproduction steps
Step-by-step instructions to reproduce the issue.
Proof of concept
A proof of concept, screenshots, or video if helpful.
Security impact
The potential security impact of the vulnerability.
Suggested fix
Any suggested remediation, if available.
We've got your back
We will not pursue legal action against security researchers who act in good faith and follow this policy. If you are unsure whether a particular action is allowed, contact us before proceeding.
- ✓Comply with this policy
- ✓Avoid harm to users, customers, employees, systems, and data
- ✓Report discovered vulnerabilities promptly
- ✓Do not exploit the issue beyond what is necessary to demonstrate impact
- ✓Do not publicly disclose before we resolve it or give written permission
Rewards, disclosure & credit
Rewards
Eligible reports may qualify for a bounty at our discretion, based on severity, impact, exploitability, report quality, and whether the issue was previously known to us. Low-impact, duplicate, out-of-scope, non-reproducible, or scanner-only reports may not be rewarded.
Disclosure
Please do not publicly disclose a vulnerability without our written permission. We aim to communicate clearly throughout the process, and public disclosure may be coordinated once the issue has been resolved.
Acknowledgments
With your permission, we may recognize valid reports on our security acknowledgments page. Let us know whether you would like to be credited and what name, handle, or link we should use.
Legal notice
This policy does not grant permission to access, modify, destroy, or disclose data that does not belong to you. It also does not authorize testing against third-party systems, customers, partners, vendors, or infrastructure not explicitly listed in scope. By participating in this program, you agree to follow this policy and all applicable laws.