New Feature In Scope

We recently announced the launch of Spaces, a new feature that allows people to curate collections and form communities around shared interests and tastes. You can find more details regarding this feature at

• See the product announcement __
• Spaces bounty program guidelines: {F386615}

Test Instructions for Spaces

• Users can create 1 space for testing whatever they want (this would include adding content, trying out the admin settings)
  • Only 1 test space is allowed per user
  • Users need to email hackerone@quora.com in order to get permission to create a space.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.
• Follow HackerOne's disclosure guidelines.
• Localize all your tests to the account you are using to test. Don't affect other users.
• Automated security testing against the site or APIs are not allowed.
• Vulnerabilities in third-party libraries without proof of exploitation will not be rewarded.
• Report product-related issues by following the instructions here __.

Focus Areas

Spaces

• Vertical authentication bypass
• Lateral authentication bypass
• Information leaks
• XSS

Critical Severity Vulnerabilities

• Remote code execution/shell injection
• Vertical Authentication bypass
• Public AWS resource policy
• SQL injection
• Anonymity-related bugs

Exclusions

We have made conscious product tradeoffs at times and have not implemented some security best practices. Please be aware that we will not pay a bounty for reports that are only about a missing security best practice. Having said that, if a missing best practice can be exploited to impact our users, we do want to hear about it and will pay a bounty.

Examples include but are not limited to:

• Missing HTTP security headers, like:
  • Strict-Transport-Security
  • X-Frame-Options
  • X-XSS-Protection
• Non-existent or weak captcha / captcha bypass
• Login or “Forgot Password” page brute-forcing, and account lockout not being enforced
• Lack of enforcement of certain product feature usage limits, such as the number of A2As
• Lack of binary protection or obfuscation of the mobile app
• Non-sensitive user data stored unencrypted on external storage by the mobile app
• Crashes of the mobile app due to malformed URL schemes or intents
• Vulnerabilities that require physical access to the device
• Any CSRF
• Phishing/spam attacks against users on the platform, and other findings derived from social engineering
• Misconfiguration in SPF/DKIM records
• Our Challenges site __is run by HackerRank is therefore excluded from the bounty program.

Issue Severity

Critical severity bugs

Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc.

Examples:

• Remote Code Execution
• Remote Shell/Command Execution
• Vertical Authentication bypass
• SQL Injection that leaks targeted data
• Vulnerabilities in access control to our AWS resources
• Misconfigured firewall in our AWS environment

High severity bugs:

Vulnerabilities that affect the security of the platform including the processes it supports. Examples:

• Lateral authentication bypass
• Stored XSS for another user
• Local file inclusion
• Insecure handling of authentication cookies

Medium severity bugs

Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:

• Reflective XSS
• Insecure Direct Object References

Low severity bugs

Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger. Examples:

• Self-XSS
• Information leaks

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Quora and our users safe!