Quora
Quora is committed to the safety and security of users on Quora. To recognize the importance of independent security researchers in keeping Quora safe, we offer the following bug bounty program to reward the reporting of certain qualifying security vulnerabilities. Please make sure you review the following information before you report a vulnerability. By participating in this program, you agree to be bound by the following information.
Our rewards are based on the impact of a vulnerability and how we classify the severity of bugs. For more details, please see Issue Severity below.
When duplicates occur, we award the first report that we can completely reproduce.
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Amounts below are the maximum we will pay per category. We aim to be fair, but all reward amounts are at our discretion.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.
Follow HackerOne's [disclosure guidelines] (https://www.hackerone.com/disclosure-guidelines).
Localize all your tests to the account you are using to test. Don't affect other users.
Automated security testing against the site or APIs are not allowed.
Vulnerabilities in third-party libraries without proof of exploitation will not be rewarded.
Report product-related issues by following the instructions [here] (https://www.quora.com/How-can-I-report-a-bug-on-Quora).
We welcome your feedback so we can continue to improve our bug bounty program.
Currently, we are focused on critical security vulnerabilities, Spaces, and subscriptions. For more information on what types of bugs qualify as critical security vulnerabilities, please see below.
For Spaces, examples of bugs we are looking for include:
Vertical authentication bypass
Lateral authentication bypass
Information leaks
XSS
For subscriptions, examples of bugs we are looking for include:
complete access of paywalled content in Quora+ and Space subscriptions; and
unauthorized engagement with paywalled content, such as answering, commenting, and voting.
Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc.
Examples:
Remote Code Execution
Remote Shell/Command Execution
Vertical Authentication bypass
SQL Injection that leaks targeted data
Vulnerabilities in access control to our AWS resources
Misconfigured firewall in our AWS environment
Anonymity-related bugs
Vulnerabilities that affect the security of the platform including the processes it supports.
Examples:
Lateral authentication bypass
Stored XSS for another user
Local file inclusion
Insecure handling of authentication cookies
Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:
Reflective XSS
Insecure Direct Object References
Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger.
Examples:
Self-XSS
Information leaks
The following bugs are unlikely to be eligible for a bounty:
Missing HTTP security headers, like:
Strict-Transport-Security
X-Frame-Options
X-XSS-Protection
Non-existent or weak captcha / captcha bypass
Login or “Forgot Password” page brute-forcing, and account lockout not being enforced
Lack of enforcement of certain product feature usage limits, such as the number of A2As
Lack of binary protection or obfuscation of the mobile app
Non-sensitive user data stored unencrypted on external storage by the mobile app
Crashes of the mobile app due to malformed URL schemes or intents
Vulnerabilities that require physical access to the device
Any CSRF
Blind SSRF
Phishing/spam attacks against users on the platform, and other findings derived from social engineering
Misconfiguration in SPF/DKIM records
Our [Challenges site] (https://www.quora.com/about/challenges/) is run by HackerRank is therefore excluded from the bounty program.
Linked Social Account Login
You must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.
We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Please note we do not reimburse independent security researchers for the cost of any subscriptions.
Thank you for helping keep Quora and our users safe!
| Scope Type | Scope Name |
|---|---|
| android_application | com.quora.android |
| ios_application | com.quora.app.mobile |
| web_application | *.quora.com |
This program leverage 3 scopes, in 3 scopes categories.
FireBounty © 2015-2024
