45466 policies in database
Link to program      
2016-12-08
2019-09-05
Quora logo
Thank
Gift
HOF
Reward

Reward

100 $ 

Quora

Introduction

Quora is committed to the safety and security of users on Quora. To recognize the importance of independent security researchers in keeping Quora safe, we offer the following bug bounty program to reward the reporting of certain qualifying security vulnerabilities. Please make sure you review the following information before you report a vulnerability. By participating in this program, you agree to be bound by the following information.

Program Rules

  • Our rewards are based on the impact of a vulnerability and how we classify the severity of bugs. For more details, please see Issue Severity below.

  • When duplicates occur, we award the first report that we can completely reproduce.

  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

  • Amounts below are the maximum we will pay per category. We aim to be fair, but all reward amounts are at our discretion.

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.

  • Follow HackerOne's [disclosure guidelines] (https://www.hackerone.com/disclosure-guidelines).

  • Localize all your tests to the account you are using to test. Don't affect other users.

  • Automated security testing against the site or APIs are not allowed.

  • Vulnerabilities in third-party libraries without proof of exploitation will not be rewarded.

  • Report product-related issues by following the instructions [here] (https://www.quora.com/How-can-I-report-a-bug-on-Quora).

  • We welcome your feedback so we can continue to improve our bug bounty program.

Focus Areas

Currently, we are focused on critical security vulnerabilities, Spaces, and subscriptions. For more information on what types of bugs qualify as critical security vulnerabilities, please see below.

For Spaces, examples of bugs we are looking for include:

  • Vertical authentication bypass

  • Lateral authentication bypass

  • Information leaks

  • XSS

For subscriptions, examples of bugs we are looking for include:

  • complete access of paywalled content in Quora+ and Space subscriptions; and

  • unauthorized engagement with paywalled content, such as answering, commenting, and voting.

Issue Severity

Critical severity bugs

Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc.

Examples:

  • Remote Code Execution

  • Remote Shell/Command Execution

  • Vertical Authentication bypass

  • SQL Injection that leaks targeted data

  • Vulnerabilities in access control to our AWS resources

  • Misconfigured firewall in our AWS environment

  • Anonymity-related bugs

High severity bugs

Vulnerabilities that affect the security of the platform including the processes it supports.

Examples:

  • Lateral authentication bypass

  • Stored XSS for another user

  • Local file inclusion

  • Insecure handling of authentication cookies

Medium severity bugs

Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:

  • Reflective XSS

  • Insecure Direct Object References

Low severity bugs

Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger.

Examples:

  • Self-XSS

  • Information leaks

Exclusions

The following bugs are unlikely to be eligible for a bounty:

  • Missing HTTP security headers, like:

  • Strict-Transport-Security

  • X-Frame-Options

  • X-XSS-Protection

  • Non-existent or weak captcha / captcha bypass

  • Login or “Forgot Password” page brute-forcing, and account lockout not being enforced

  • Lack of enforcement of certain product feature usage limits, such as the number of A2As

  • Lack of binary protection or obfuscation of the mobile app

  • Non-sensitive user data stored unencrypted on external storage by the mobile app

  • Crashes of the mobile app due to malformed URL schemes or intents

  • Vulnerabilities that require physical access to the device

  • Any CSRF

  • Blind SSRF

  • Phishing/spam attacks against users on the platform, and other findings derived from social engineering

  • Misconfiguration in SPF/DKIM records

  • Our [Challenges site] (https://www.quora.com/about/challenges/) is run by HackerRank is therefore excluded from the bounty program.

  • Linked Social Account Login

Additional Terms & Safe Harbor

You must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.

We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Please note we do not reimburse independent security researchers for the cost of any subscriptions.

Thank you for helping keep Quora and our users safe!

In Scope

Scope Type Scope Name
android_application

com.quora.android

ios_application

com.quora.app.mobile

web_application

*.quora.com


This program leverage 3 scopes, in 3 scopes categories.

FireBounty © 2015-2024

Legal notices | Privacy policy