Banner object (1)

Hack and Take the Cash !

844 bounties in database
  Back Link to program      
Quora logo
Hall of Fame


100 $ 


New Feature In Scope

We recently announced the launch of Spaces, a new feature that allows people to curate collections and form communities around shared interests and tastes. You can find more details regarding this feature at the product announcement __

Test Instructions for Spaces (updated 9/4/2019)

  • Users can create 1 space for testing (this would include adding content, trying out the admin settings)
    • Only 1 test space is allowed per user
    • Users need to email in order to get permission to create a space. In the email please include your HackerOne user id, the email address you used to sign up Quora account.

Program Rules

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.
  • Follow HackerOne's disclosure guidelines.
  • Localize all your tests to the account you are using to test. Don't affect other users.
  • Automated security testing against the site or APIs are not allowed.
  • Vulnerabilities in third-party libraries without proof of exploitation will not be rewarded.
  • Report product-related issues by following the instructions here __.

Focus Areas


  • Vertical authentication bypass
  • Lateral authentication bypass
  • Information leaks
  • XSS

Critical Severity Vulnerabilities

  • Remote code execution/shell injection
  • Vertical Authentication bypass
  • Public AWS resource policy
  • SQL injection
  • Anonymity-related bugs


We have made conscious product tradeoffs at times and have not implemented some security best practices. Please be aware that we will not pay a bounty for reports that are only about a missing security best practice. Having said that, if a missing best practice can be exploited to impact our users, we do want to hear about it and will pay a bounty.

Examples include but are not limited to:

  • Missing HTTP security headers, like:
    • Strict-Transport-Security
    • X-Frame-Options
    • X-XSS-Protection
  • Non-existent or weak captcha / captcha bypass
  • Login or “Forgot Password” page brute-forcing, and account lockout not being enforced
  • Lack of enforcement of certain product feature usage limits, such as the number of A2As
  • Lack of binary protection or obfuscation of the mobile app
  • Non-sensitive user data stored unencrypted on external storage by the mobile app
  • Crashes of the mobile app due to malformed URL schemes or intents
  • Vulnerabilities that require physical access to the device
  • Any CSRF
  • Phishing/spam attacks against users on the platform, and other findings derived from social engineering
  • Misconfiguration in SPF/DKIM records
  • Our Challenges site __is run by HackerRank is therefore excluded from the bounty program.

Issue Severity

Critical severity bugs

Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc.


  • Remote Code Execution
  • Remote Shell/Command Execution
  • Vertical Authentication bypass
  • SQL Injection that leaks targeted data
  • Vulnerabilities in access control to our AWS resources
  • Misconfigured firewall in our AWS environment

High severity bugs:

Vulnerabilities that affect the security of the platform including the processes it supports. Examples:

  • Lateral authentication bypass
  • Stored XSS for another user
  • Local file inclusion
  • Insecure handling of authentication cookies

Medium severity bugs

Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:

  • Reflective XSS
  • Insecure Direct Object References

Low severity bugs

Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger. Examples:

  • Self-XSS
  • Information leaks

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Quora and our users safe!

In Scope

Scope Type Scope Name

android_application __




  • Automated security testing against the site or APIs are not allowed.
  • Localize all your tests to the account you are using to test. Don't affect other users.
  • Findings derived primarily from social engineering (e.g. phishing) are not allowed.
web_application __

This program leverage 9 scopes, in 3 scopes categories.

FireBounty © 2015-2019

Legal notices