23541 policies in database
Link to program      
2014-11-13
2019-08-06
QIWI logo
Thank
Gift
HOF
Reward

Reward

50 $ 

QIWI

Qiwi Bug Bounty Program

====================

Scope:


• qiwi kiosks

•  Visa Qiwi Wallet mobile apps for iOS, Android

• *.qiwi.ru

• *.qiwi.com

• *.qiwi.me

• *.rapida.ru

• *.contact-sys.com

• vitrina.contact-sys.com (only High and Critical severity server-side)

• *.flocktory.com ( only High and Critical severity server-side)

• *.qiwi.kz

• *.tochka-tech.com (except for issues with rate limits)

• *.tochka.com (except for issues with rate limits)

We do not accept/review reports with:


• Rate limits (including lack of captcha, etc) on domains tochka-tech.com, tochka.com and their subdomains

• Vulnerability scanners and other automated tools reports

• Reports based on product/protocol version without demonstration of real vulnerability presence, except for vulnerabilities with a CVSS v3 score 7+

• Reports of missed protection mechanism / inconsistent with best practices (e.g. no CSRF token, framing/clickjacking protection) without demonstration of real security impact for user or system

• framing, clickjacking;

• Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept -- and not just a report from a scanner);

• Self-XSS;

• Logout CSRF;

• Host header Injection;

• Reports regarding public availability of update1.qiwi.com and update-security1.qiwi.com

• SPF misconfiguration;

• Text-injection based on server error page;

How do I submit a bug report?


A bug report must give a detailed description of the discovered vulnerability:

• vulnerable hosts;

• the type of vulnerability;

• where exactly;

• security impact;

• steps impact;

• recommendations for fixing.

Reward payment and amounts.


We will pay you a reward if you are the first person to report a given vulnerability.  The amounts mentioned in the table below are approximate and may vary from vulnerability influence.

We are interested  the following  vulnerabilities criteria:


• possible use of the vulnerability

• on what service vulnerability found;

• value of financial, reputational and other risks from vulnerabilities.

Payments will be made through HackerOne.

Number of bug reports by one person of the Program is unlimited.

Also, public 0-day/1-day vulnerabilities may be considered as a duplicate within few days after vulnerability details publication, if vulnerability is known to our team from public sources and we are working to mitigate or patch it.

Qiwi Responsible Disclosure Policy


By submitting a bug report you agree to comply with Qiwi Responsible Disclosure Policy, which forbids public or private disclosure of the details of any vulnerability found on Qiwi within 90 days after vulnerability is fixed and only reciprocal agreement of the parties.

Qiwi employees, the employees in any of Qiwi companies group can't participate in the Qiwi Bug Bounty Program.


In Scope

Scope Type Scope Name
android_application

ru.mw

ios_application

ru.qiwi.QIWI

ios_application

Qiwi kiosks software

web_application

*.flocktory.com

web_application

*.contact-sys.com

web_application

*.rapida.ru

web_application

*.qiwi.com

web_application

https://github.com/qiwi

web_application

*.qiwi.kz

web_application

*.tochka-tech.com

web_application

*.tochka.com

web_application

echo.tochka.com

web_application

vitrina.contact-sys.com

Out of Scope

Scope Type Scope Name
android_application

com.qiwi.cashier.ru

web_application

travel.qiwi.com

web_application

travel.qiwi.kz

web_application

booking.qiwi.kz

web_application

armada.qiwi.kz

web_application

79.142.24.0/24

web_application

admin-league.qiwi.kz


This program crawled on the 2014-11-13 is sorted as bounty.

FireBounty © 2015-2022

Legal notices