Banner object (1)

Hack and Take the Cash !

684 bounties in database
06/07/2016

Reward

100 € 

Qwant

Rules

Program Ten commandments

• First commandment:

We Qwant, reserve us the right to cancel this program at any time and the decision to pay a reward is entirely at our discretion.

• Second commandment:

Thou shalt not disrupt any service or compromise personal data.

• Third commandement:

Thou shalt not publicly disclose a bug before it has been fixed. Thou shalt also be the first person to responsibly disclose the bug.

• Forth commandment:

Thou shalt not be an actual or a past employee of QWANT to join the program.

• Fifth commandment:

Thou shalt not use bruteforcing or scanners tools nor performs Denial of Service tentatives on the platform.

• Sixth commandment:

Thou shalt not violate any local, state, national or international law.

• Seventh commandment:

Thou shalt stay in the defined scope.

• Eighth commandment:

Thou shalt not perform physical attacks against Qwant's employees, offices or datacenter.

• Ninth commandment:

Thou shalt have fun and drink some beers while snooping around for vulnerabilities.

• Tenth commendment:

Thy participation to this program will constitute acceptance of these rules.

Any failure to comply with these rules will be sanctioned by the exclusion of the hunter from the bug-bounty program and even worse (legal pursuits, ...).

Rewards

Qwant will offer a minimum reward of 100€. There is no maximum reward as it will be determined by Qwant security team according to the level of criticity and impact of the reported vulnerability.

Any non-security related issue (bug, wrong interface/API behavior, ...) will not be eligible for a money reward and should be sent to https://www.qwant.com/contact.

Scope

• www.qwant.com

• api.qwant.com, api-boards.qwant.com

• boards.qwant.com

• lite.qwant.com

• s.qwant.com, s1.qwant.com, s2.qwant.com, s-boards.qwant.com

• www.qwantjunior.com, edu.qwantjunior.com

• noel.qwantjunior.com

• Qwant InstantAnswers: https://github.com/qwant/instant-answers

Qualifying vulnerabilities

• Authentication bypass

• User session compartmentalization issue

• SQL / NoSQL injections

• Remote code execution or information leakage through XML external entities

• Reflected / persistent Cross-site scripting

• Cross-site request forgery

• Server-side request forgery

• Remote code execution on Qwant servers through memory corruption, command injection or other exploitation technique

• Any vulnerability in defined scope that could impact security of the platorm and its users

Non-qualifying issues

• Issues outside of defined scope

• Duplicate issue

• CSRF in login or logout

• Social engineering or shoulder-surfing on Qwant's employees

• Security bugs in third-party websites that integrate with Qwant

• Spam or exploit-kit in search results (URLs that bypasses Qwant's anti- malware solutions)

• Password complexity or any other issue related to account or password policies

• Missing/invalid HTTP headers

• Cookie flags

• Clickjacking

• Denial of service

• Results from pivoting or scanning internals systems

• SSL/TLS issues

• Accounts enumeration

• SPF/DKIM issues

• Issues with no security impact

• Issues impacting protocols or software not developed nor maintained by Qwant

• Rate-limit issues

• Forms missing CSRF tokens

• Text injection

• Content spoofing

• Forms missing Catpcha

• Homograph attacks

• Bypasses of results filters

• Client-side Issues impacting specific browsers

• Any Adobe Flash / SWF related issues

• Account policies related issues (token expiration, reset link, password complexity)

• Self-exploitation

Update 07/11/2016

Non-qualifying issues additions

• += Rate-limit issues
• += Forms missing CSRF tokens
• += Text injection
• += Content spoofing
• += Forms missing Catpcha
• += Homograph attacks
• += Bypasses of results filters
• += Client-side Issues impacting specific browsers
• += Any Adobe Flash /SWF related issues
• += Account policies related issues (token expiration, reset link, password complexity)
• += Self-exploitation

Update 01/12/2016

Scope

• += noel.qwantjunior.com

Update 09/08/2017

Scope

• += Qwant InstantAnswers: https://github.com/qwant/instant-answers

Update 17/08/2017

• Minimum bounty reward increased to 100€

Update 12/06/2018

reward grid

Qualification | Score CVSS | Bounty
---|---|---
None | N/A | No Bounty
Low | 0.1 - 3.9 | == 100€
Medium | 4.0 - 6.9 | <= 500€
High | 7.0 - 8.9 | <= 5 000€
Critical | 9.0 - 10.0 | <= 10 000 €

Thanks
Gift
Hall of Fame
Reward


List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2018