|Scope Type||Scope Name|
|web_application||Automated security testing against the site or APIs are not allowed.|
|web_application||Localize all your tests to the account you are using to test. Don't affect other users.|
|web_application||Findings derived primarily from social engineering (e.g. phishing) are not allowed.|
We recently announced the launch of Spaces, a new feature that allows people to curate collections and form communities around shared interests and tastes. You can find more details regarding this feature at
We have made conscious product tradeoffs at times and have not implemented some security best practices. Please be aware that we will not pay a bounty for reports that are only about a missing security best practice. Having said that, if a missing best practice can be exploited to impact our users, we do want to hear about it and will pay a bounty.
Examples include but are not limited to:
Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc.
Vulnerabilities that affect the security of the platform including the processes it supports. Examples:
Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:
Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger. Examples:
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Quora and our users safe!