Responsible Disclosure Policy
Last updated: July 9, 2026 · Effective: July 9, 2026 · expires July 9, 2027 · security.txt
Jobeezy, Inc. (“Jobeezy,” “we,” “us,” or “our”) builds a job-search and application service used by everyday working people — in retail, warehousing, hospitality, trades, healthcare support, delivery, and more — many of whom trust us with sensitive information. Protecting that information is one of our most important jobs. This policy explains how to report a security problem to us, what we allow and do not allow when you look for one, and what we promise in return.
In plain words. If you find a security weakness in Jobeezy, please tell us at security@jobeezy.com and give us a fair chance to fix it before you share it publicly. If you follow the rules on this page and act in good faith, we treat your research as authorized, we will work with you to fix the issue, and we will not take or support legal action against you. We aim to reply within 5 business days. One important rule up front: do not send real job applications to real employers while you test — ask us for a safe test setup instead.
1. The short version
Security researchers help keep everyone safe. We welcome reports of security weaknesses in the Jobeezy services listed in the scope section below. Here is the whole policy in five points:
- Report privately first. Email security@jobeezy.com. Give us time to fix the issue before you talk about it in public.
- Test gently. Use only your own test accounts, take only the minimum data needed to prove the problem, and do not harm other people or disrupt the service.
- Never fire live applications. Do not use Auto-Apply to send applications to real employers. Ask us for a sandbox instead.
- We protect good-faith researchers. Follow this policy and we will not pursue legal action against you — see the safe-harbor section for the exact authorization.
- We respond. We aim to acknowledge good-faith reports within 5 business days and to fix serious issues quickly. These are good-faith targets, not guarantees.
The rest of this page is the full policy. If anything here is unclear, email us and ask — we would rather answer a question than have you guess.
2. Safe harbor — our authorization to you
A “safe harbor” only means something if the company actually gives you permission. This section is that permission.
Safe harbor. If you make a good-faith effort to follow this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and we will not recommend or pursue legal action against you, and we will not support such action by others. To the extent your activity is consistent with this policy:
- We authorize it. We consider it authorized access under the U.S. Computer Fraud and Abuse Act (18 U.S.C. § 1030) and analogous state computer-crime laws, including the Texas Breach of Computer Security statute (Tex. Penal Code § 33.02). We will not bring or support a civil or criminal claim against you for that activity.
- We waive DMCA anti-circumvention claims. We waive any claim under DMCA § 1201 for good-faith research conducted under this policy.
- This is a limited, personal authorization from Jobeezy only. It does not bind our sub-processors, employers, or any other third party, and it does not authorize you to access, disrupt, or test any third-party system (including an employer’s own application system), any payment provider, or any other person’s data or account.
- If in doubt, ask first. If you are unsure whether specific conduct is covered, email security@jobeezy.com for written pre-authorization before you proceed. Acting under written authorization we give you is treated as good faith.
- What good faith means. You act in good faith when you follow this policy, avoid privacy violations and harm to users, access only the minimum data needed to demonstrate an issue, and do not exploit an issue beyond what is needed to prove it. Safe harbor is forfeited by data theft or retention, extortion, privacy violations, service disruption, or public disclosure outside the coordinated window described below.
Nothing in this policy creates a contract or any new legal obligation, and nothing here waives our Terms of Service or End-User License Agreement except for the specific authorizations granted in this section.
3. What is in scope
This policy covers the Jobeezy services we operate:
- jobeezy.com — our main marketing and information site.
- app.jobeezy.com — the authenticated web app.
- api.jobeezy.com — our REST API (FastAPI, hosted on Render).
- Jobeezy for Android (Google Play; package
com.jobeezy.job). - Jobeezy for iOS — when available. iOS is not yet released; this policy will cover it once it is.
3.1 Weaknesses we most want to hear about
All classic web, API, and mobile security issues are welcome. Because Jobeezy applies to jobs on your behalf and handles sensitive information, we especially want to hear about:
- Cross-account access — any way to read, change, or delete another user’s résumé, profile, applications, or messages.
- Hijacking an Auto-Apply authorization — replaying, forging, or reusing another user’s per-job approval so an application is submitted without their consent.
- Exposure of the isolated EEO / demographic collection (voluntary race, ethnicity, sex, veteran-status, and disability self-ID answers). We treat any such exposure as Critical.
- Prompt injection or jailbreak of our AI — getting the vision-first apply model, the matching engine, or the embeddings pipeline (served through OpenRouter or Anthropic) to change what is submitted, leak another user’s data, or bypass our safeguards.
- Authentication or session bypass in our Clerk-based sign-in.
- Subscription or entitlement bypass — obtaining Jobeezy Plus without paying, or tampering with entitlement checks (Google Play, Apple, or RevenueCat).
- Server-side request forgery (SSRF) reachable through our managed cloud browsers (Browserbase).
- Injection, remote code execution, insecure direct object references, and exposure of secrets or internal endpoints.
4. How to report a vulnerability
Email security@jobeezy.com. You may report anonymously — we only need contact details if you want an acknowledgment or public credit. If you would like to send your report encrypted, say so in a short first email and we will arrange a secure channel.
Please send one report per issue, in English where you can, and give us a reasonable chance to respond before you tell anyone else.
5. What to include in your report
A good report helps us fix the problem faster. Please include:
- A clear description of the weakness and what an attacker could do with it.
- Step-by-step instructions to reproduce it (proof-of-concept code, screenshots, or request and response pairs as appropriate).
- The exact URL, endpoint, screen, or component affected.
- Any accounts you used (please use only your own test accounts).
- How you would like to be credited, if at all.
6. Rules for good-faith research
To stay inside the safe harbor, please follow these rules. They exist to protect other users, whose résumés and personal details we are responsible for.
6.1 Handle data carefully
- Use only your own test accounts. Never access, change, or delete another user’s data.
- Stop immediately if you come across anyone’s personal information — a résumé, contact details, or EEO / demographic answers. Do not download, copy, screenshot beyond minimal proof, transmit, or keep it.
- Delete any data you accessed by accident and tell us in your report.
- Do not create backdoors, move deeper into our systems, pivot to other systems, or keep access. Leave things as you found them.
6.2 Do not disrupt the service
- Do not run high-volume automated scanning that could slow down or break the service for real users. If you want to run any automated testing, ask us first at security@jobeezy.com for written authorization and a testing window.
- Do not use social engineering (for example, phishing our staff), physical attacks, or attempts to overwhelm the service (denial of service).
6.3 Coordinated disclosure
- Give us a reasonable chance to fix the issue before you disclose it publicly. Our standard window is 90 days from your report, or as soon as a fix is released, whichever comes first. We will agree to a good-faith extension when a fix is genuinely complex, and we will keep you informed.
- Please coordinate any public write-up with us. We are happy to acknowledge your work when the issue is resolved.
- We follow the spirit of the recognized coordinated-disclosure standards (ISO/IEC 29147 for disclosure and ISO/IEC 30111 for handling).
7. Testing Auto-Apply and our AI
Jobeezy is different from most apps: when you approve a job, we act as your agent and submit a real application into an employer’s own system by driving a managed cloud browser. Testing must respect that.
Do not trigger live application submissions to real employers. A test application fired into a real employer’s system harms that employer, harms the user whose profile is used, and can expose you to legal risk under the employer’s own terms. Test the Auto-Apply and cloud-browser pipeline only against accounts and targets we designate. Request a sandbox at security@jobeezy.com and we will set one up.
7.1 Employer systems are not ours to test
We interact with employer career sites and applicant-tracking systems only with the user’s authorization, as the user’s agent. This policy does not authorize you to probe, attack, or test any third-party employer system through Jobeezy or otherwise. Those systems belong to other companies and are outside our safe harbor.
7.2 A wrong AI result is not a security bug
A fit score you disagree with, a résumé edit you do not like, or a ranking you think is biased is not a security vulnerability — and we take those concerns seriously through a different door. Please report AI-quality, fairness, or bias concerns to privacy@jobeezy.com, not to the security inbox. A security report about our AI is something like prompt injection that changes what gets submitted or leaks another user’s data (see the weaknesses we most want to hear about).
8. What is out of scope
The following are generally not eligible under this policy. Reports in these categories may be closed without action unless you can show a real, exploitable security impact:
- Denial-of-service attacks (DoS / DDoS) and volumetric or resource-exhaustion testing.
- Social engineering of Jobeezy staff, contractors, or users; phishing; and physical attacks against our people or facilities.
- Live application submissions to real employers, and any testing of employer or other third-party systems (see the Auto-Apply section).
- Vulnerabilities in third-party services we use but do not control — report those to the provider (see Third-party services). A misconfiguration by Jobeezy of one of those services is in scope.
- Issues that require physical access to a user’s unlocked device, a rooted or jailbroken device, or a compromised network.
- Output from automated scanners without a working proof of concept and a demonstrated impact.
- Self-XSS that requires a victim to paste code into their own browser console.
- Missing security headers, best-practice suggestions, or configuration hardening that do not lead to a demonstrated, exploitable issue.
- Reports about AI quality, fit scores, or fairness (route these to privacy@jobeezy.com).
9. Our commitments to you
| We will… | We will not… |
|---|---|
| Aim to acknowledge your good-faith report within 5 business days. | Pursue or support legal action against researchers acting in good faith under this policy. |
| Keep you informed of our progress as we investigate and fix the issue. | Share your personal information, except where the law compels it or where we must share it with our advisers or service providers to fix the issue. |
| Credit you publicly for your disclosure, with your permission. | Require you to sign a non-disclosure agreement in order to report. |
| Work with you in good faith to understand and resolve what you found. | Ignore reports that meet the rules on this page. |
10. Response targets and severity
The timelines below are good-faith targets, not guarantees. How quickly we act depends on how serious and complex an issue is. We separate three steps: acknowledge (we have received your report), triage (we have confirmed and rated it), and resolve (we have shipped a fix). We assign the severity of an issue at our reasonable discretion.
- Acknowledge: we aim to respond to good-faith reports within 5 business days.
- Resolve: we aim to remediate critical and high-severity issues within 30 days, and medium and low-severity issues within 90 days.
| Severity | Examples | Remediation target |
|---|---|---|
| Critical | Remote code execution; authentication bypass; large-scale data exposure; exposure of the isolated EEO / demographic collection; hijacking another user’s Auto-Apply authorization | 30 days |
| High | Privilege escalation; cross-account résumé or application access; SSRF with internal access; subscription or entitlement bypass; prompt injection that changes what is submitted | 30 days |
| Medium | Stored cross-site scripting; CSRF on sensitive actions; insecure direct object references without large-scale impact | 90 days |
| Low | Reflected (self-only) cross-site scripting; limited information disclosure; missing headers with limited impact | 90 days |
11. Third-party services and sub-processors
Jobeezy relies on trusted service providers to run the service. A security weakness in one of their platforms should be reported to that provider through their own security program — but if you find a way that Jobeezy’s use or configuration of one of them exposes user data, that is in scope and we want to hear about it. Our current providers include:
- Render (hosting and compute), MongoDB Atlas (database), Cloudflare R2 (file storage), and Clerk (sign-in and sessions).
- OpenRouter (our primary AI provider) and Anthropic (fallback AI), used under no-training terms.
- Browserbase (managed cloud browsers that submit approved applications) and 2captcha (solving CAPTCHAs during Auto-Apply).
- RevenueCat (subscription entitlements), with billing handled by Apple and Google Play.
- Resend (email), Expo Push Service (push notifications), PostHog (product analytics), Sentry (error monitoring), and Apify (job-posting ingestion, no user personal data).
For the full, current list, see our Sub-processors page.
12. Recognition and rewards
We do not currently operate a paid bug-bounty program; recognition is non-monetary. Researchers who responsibly disclose a valid, in-scope issue are credited publicly with their permission — just tell us in your report how you would like to be named, or ask to stay anonymous. If we introduce a paid program in the future, we will publish its rules here.
13. Legal terms
13.1 Eligibility
You must be legally able to enter an agreement to take part. Safe harbor and recognition are not available to anyone located in a comprehensively embargoed country or on a U.S. or other applicable sanctions list. Current Jobeezy employees and contractors, and their immediate family members, are not eligible for public recognition. Taking part in this program does not create any employment, agency, or compensation relationship with Jobeezy.
13.2 Governing law and integration
This policy is governed by the laws of the State of Texas, without regard to its conflict-of-laws rules, and it forms part of and is subject to our Terms of Service and End-User License Agreement. Nothing here waives those documents except for the specific authorizations granted in the Safe harbor section.
13.3 How we handle your information
If you send us a report, we process the contact details and content you provide only to investigate, fix, and (with your permission) credit the issue, and to keep records of the report. We handle that information as described in our Privacy Policy. We keep your report confidential and do not share your personal information without your permission, except where the law compels disclosure or where we must share limited details with our advisers or service providers to remediate the issue.
13.4 Updates to this policy
We may update this policy from time to time. The version in effect at the time of your testing governs your research. Material changes will be reflected in the “Last updated” date at the top of this page.
14. Contact and updates
Security reports: security@jobeezy.com
AI quality, fairness, or bias concerns: privacy@jobeezy.com
Machine-readable policy: security.txt
Postal: Jobeezy, Inc., 800 Brazos St., Suite 400, Austin, TX 78701, USA.
One honest note. No app, website, or company can promise that information is ever 100% secure, and we do not make that promise. What we can promise is that we take security seriously, we welcome your help, and we will treat good-faith researchers fairly.
Last updated: July 9, 2026. Effective July 9, 2026; this policy expires and will be reviewed by July 9, 2027.