Bug Bounty > Bug bounty programs

QWANT Bug Bounty

(1/1)

Angelina:
submit bug report: https://yeswehack.com/programs/qwant

Program Ten commandments

• First commandment:

We Qwant, reserve us the right to cancel this program at any time and the decision to pay a reward is entirely at our discretion.

• Second commandment:

Thou shalt not disrupt any service or compromise personal data.

• Third commandement:

Thou shalt not publicly disclose a bug before it has been fixed. Thou shalt also be the first person to responsibly disclose the bug.

• Forth commandment:

Thou shalt not be an actual or a past employee of QWANT to join the program.

• Fifth commandment:

Thou shalt not use bruteforcing or scanners tools nor performs Denial of Service tentatives on the platform.

• Sixth commandment:

Thou shalt not violate any local, state, national or international law.

• Seventh commandment:

Thou shalt stay in the defined scope.

• Eighth commandment:

Thou shalt not perform physical attacks against Qwant's employees, offices or datacenter.

• Ninth commandment:

Thou shalt have fun and drink some beers while snooping around for vulnerabilities.

• Tenth commendment:

Thy participation to this program will constitute acceptance of these rules.

Any failure to comply with these rules will be sanctioned by the exclusion of the hunter from the bug-bounty program and even worse (legal pursuits, ...).

Rewards

Qwant will offer a minimum reward of 100€. There is no maximum reward as it will be determined by Qwant security team according to the level of criticity and impact of the reported vulnerability.

Any non-security related issue (bug, wrong interface/API behavior, ...) will not be eligible for a money reward and should be sent to https://www.qwant.com/contact.

Qualifying vulnerabilities

• Authentication bypass

• User session compartmentalization issue

• SQL / NoSQL injections

• Remote code execution or information leakage through XML external entities

• Reflected / persistent Cross-site scripting

• Cross-site request forgery

• Server-side request forgery

• Remote code execution on Qwant servers through memory corruption, command injection or other exploitation technique

• Any vulnerability in defined scope that could impact security of the platorm and its users

Non-qualifying issues

• Issues outside of defined scope

• Duplicate issue

• CSRF in login or logout

• Social engineering or shoulder-surfing on Qwant's employees

• Security bugs in third-party websites that integrate with Qwant

• Spam or exploit-kit in search results (URLs that bypasses Qwant's anti-malware solutions)

• Password complexity or any other issue related to account or password policies

• Missing/invalid HTTP headers

• Cookie flags

• Clickjacking

• Denial of service

• Results from pivoting or scanning internals systems

• SSL/TLS issues

• Accounts enumeration

• SPF/DKIM issues

• Issues with no security impact

• Issues impacting protocols or software not developed nor maintained by Qwant

• Rate-limit issues

• Forms missing CSRF tokens

• Text injection

• Content spoofing

• Forms missing Catpcha

• Homograph attacks

• Bypasses of results filters

• Client-side Issues impacting specific browsers

• Any Adobe Flash / SWF related issues

• Account policies related issues (token expiration, reset link, password complexity)

• Self-exploitation

Update 07/11/2016
Non-qualifying issues additions

• += Rate-limit issues
• += Forms missing CSRF tokens
• += Text injection
• += Content spoofing
• += Forms missing Catpcha
• += Homograph attacks
• += Bypasses of results filters
• += Client-side Issues impacting specific browsers
• += Any Adobe Flash /SWF related issues
• += Account policies related issues (token expiration, reset link, password complexity)
• += Self-exploitation

Navigation

[0] Message Index