Qiwi Bug Bounty Program

====================

Scope:

• qiwi kiosks

•  Visa Qiwi Wallet mobile apps for iOS, Android

• *.qiwi.ru

• *.qiwi.com

• *.qiwi.me

• *.rapida.ru

• *.contact-sys.com

• vitrina.contact-sys.com (only High and Critical severity server-side)

• *.flocktory.com ( only High and Critical severity server-side)

• *.qiwi.kz

• *.tochka-tech.com (except for issues with rate limits)

• *.tochka.com (except for issues with rate limits)

We do not accept/review reports with:

• Rate limits (including lack of captcha, etc) on domains tochka-tech.com, tochka.com and their subdomains

• Vulnerability scanners and other automated tools reports

• Reports based on product/protocol version without demonstration of real vulnerability presence, except for vulnerabilities with a CVSS v3 score 7+

• Reports of missed protection mechanism / inconsistent with best practices (e.g. no CSRF token, framing/clickjacking protection) without demonstration of real security impact for user or system

• framing, clickjacking;

• Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept -- and not just a report from a scanner);

• Self-XSS;

• Logout CSRF;

• Host header Injection;

• Reports regarding public availability of update1.qiwi.com and update-security1.qiwi.com

• SPF misconfiguration;

• Text-injection based on server error page;

How do I submit a bug report?

A bug report must give a detailed description of the discovered vulnerability:

• vulnerable hosts;

• the type of vulnerability;

• where exactly;

• security impact;

• steps impact;

• recommendations for fixing.

Reward payment and amounts.

We will pay you a reward if you are the first person to report a given vulnerability.  The amounts mentioned in the table below are approximate and may vary from vulnerability influence.

We are interested  the following  vulnerabilities criteria:

• possible use of the vulnerability

• on what service vulnerability found;

• value of financial, reputational and other risks from vulnerabilities.

Payments will be made through HackerOne.

Number of bug reports by one person of the Program is unlimited.

Also, public 0-day/1-day vulnerabilities may be considered as a duplicate within few days after vulnerability details publication, if vulnerability is known to our team from public sources and we are working to mitigate or patch it.

Qiwi Responsible Disclosure Policy

By submitting a bug report you agree to comply with Qiwi Responsible Disclosure Policy, which forbids public or private disclosure of the details of any vulnerability found on Qiwi within 90 days after vulnerability is fixed and only reciprocal agreement of the parties.

Qiwi employees, the employees in any of Qiwi companies group can't participate in the Qiwi Bug Bounty Program.