Program Ten commandments
• First commandment:
We Qwant, reserve us the right to cancel this program at any time and the decision to pay a reward is entirely at our discretion.
• Second commandment:
Thou shalt not disrupt any service or compromise personal data.
• Third commandement:
Thou shalt not publicly disclose a bug before it has been fixed. Thou shalt also be the first person to responsibly disclose the bug.
• Forth commandment:
Thou shalt not be an actual or a past employee of QWANT to join the program.
• Fifth commandment:
Thou shalt not use bruteforcing or scanners tools nor performs Denial of Service tentatives on the platform.
• Sixth commandment:
Thou shalt not violate any local, state, national or international law.
• Seventh commandment:
Thou shalt stay in the defined scope.
• Eighth commandment:
Thou shalt not perform physical attacks against Qwant's employees, offices or datacenter.
• Ninth commandment:
Thou shalt have fun and drink some beers while snooping around for vulnerabilities.
• Tenth commendment:
Thy participation to this program will constitute acceptance of these rules.
Any failure to comply with these rules will be sanctioned by the exclusion of the hunter from the bug-bounty program and even worse (legal pursuits, ...).
Qwant will offer a minimum reward of 100€. There is no maximum reward as it will be determined by Qwant security team according to the level of criticity and impact of the reported vulnerability.
Any non-security related issue (bug, wrong interface/API behavior, ...) will not be eligible for a money reward and should be sent to https://www.qwant.com/contact.
• api.qwant.com, api-boards.qwant.com
• s.qwant.com, s1.qwant.com, s2.qwant.com, s-boards.qwant.com
• www.qwantjunior.com, edu.qwantjunior.com
• Qwant InstantAnswers: https://github.com/qwant/instant-answers
• Authentication bypass
• User session compartmentalization issue
• SQL / NoSQL injections
• Remote code execution or information leakage through XML external entities
• Reflected / persistent Cross-site scripting
• Cross-site request forgery
• Server-side request forgery
• Remote code execution on Qwant servers through memory corruption, command injection or other exploitation technique
• Any vulnerability in defined scope that could impact security of the platorm and its users
• Issues outside of defined scope
• Duplicate issue
• CSRF in login or logout
• Social engineering or shoulder-surfing on Qwant's employees
• Security bugs in third-party websites that integrate with Qwant
• Spam or exploit-kit in search results (URLs that bypasses Qwant's anti- malware solutions)
• Password complexity or any other issue related to account or password policies
• Missing/invalid HTTP headers
• Cookie flags
• Denial of service
• Results from pivoting or scanning internals systems
• SSL/TLS issues
• Accounts enumeration
• SPF/DKIM issues
• Issues with no security impact
• Issues impacting protocols or software not developed nor maintained by Qwant
• Rate-limit issues
• Forms missing CSRF tokens
• Text injection
• Content spoofing
• Forms missing Catpcha
• Homograph attacks
• Bypasses of results filters
• Client-side Issues impacting specific browsers
• Any Adobe Flash / SWF related issues
• Account policies related issues (token expiration, reset link, password complexity)
Non-qualifying issues additions
• += Rate-limit issues
• += Forms missing CSRF tokens
• += Text injection
• += Content spoofing
• += Forms missing Catpcha
• += Homograph attacks
• += Bypasses of results filters
• += Client-side Issues impacting specific browsers
• += Any Adobe Flash /SWF related issues
• += Account policies related issues (token expiration, reset link, password complexity)
• += Self-exploitation
• += noel.qwantjunior.com
• += Qwant InstantAnswers: https://github.com/qwant/instant-answers
• Minimum bounty reward increased to 100€
Qualification | Score CVSS | Bounty
None | N/A | No Bounty
Low | 0.1 - 3.9 | == 100€
Medium | 4.0 - 6.9 | <= 500€
High | 7.0 - 8.9 | <= 5 000€
Critical | 9.0 - 10.0 | <= 10 000 €
Contact us if you want more information.