45466 policies in database
Link to program      
2018-12-12
2020-01-21
Qwant logo
Thank
Gift
HOF
Reward

Reward

100 € 

Qwant

Program Ten commandments

• First commandment:

We Qwant, reserve us the right to cancel this program at any time and the decision to pay a reward is entirely at our discretion.

• Second commandment:

Thou shalt not disrupt any service or compromise personal data.

• Third commandement:

Thou shalt not publicly disclose a bug before it has been fixed. Thou shalt also be the first person to responsibly disclose the bug.

• Forth commandment:

Thou shalt not be an actual or a past employee of QWANT to join the program.

• Fifth commandment:

Thou shalt not use bruteforcing or scanners tools nor performs Denial of Service tentatives on the platform.

• Sixth commandment:

Thou shalt not violate any local, state, national or international law.

• Seventh commandment:

Thou shalt stay in the defined scope.

• Eighth commandment:

Thou shalt not perform physical attacks against Qwant's employees, offices or datacenter.

• Ninth commandment:

Thou shalt have fun and drink some beers while snooping around for vulnerabilities.

• Tenth commendment:

Thy participation to this program will constitute acceptance of these rules.

Any failure to comply with these rules will be sanctioned by the exclusion of the hunter from the bug-bounty program and even worse (legal pursuits, ...).

Rewards

Qwant will offer a minimum reward of 100€. There is no maximum reward as it will be determined by Qwant security team according to the level of criticity and impact of the reported vulnerability.

Any non-security related issue (bug, wrong interface/API behavior, ...) will not be eligible for a money reward and should be sent to https://www.qwant.com/contact.

Qualifying vulnerabilities

• Authentication bypass

• User session compartmentalization issue

• SQL / NoSQL injections

• Remote code execution or information leakage through XML external entities

• Reflected / persistent Cross-site scripting

• Cross-site request forgery

• Server-side request forgery

• Remote code execution on Qwant servers through memory corruption, command injection or other exploitation technique

• Any vulnerability in defined scope that could impact security of the platorm and its users

Non-qualifying issues

• Issues outside of defined scope

• Duplicate issue

• CSRF in login or logout

• Social engineering or shoulder-surfing on Qwant's employees

• Security bugs in third-party websites that integrate with Qwant

• Spam or exploit-kit in search results (URLs that bypasses Qwant's anti-malware solutions)

• Password complexity or any other issue related to account or password policies

• Missing/invalid HTTP headers

• Cookie flags

• Clickjacking

• Denial of service

• Results from pivoting or scanning internals systems

• SSL/TLS issues

• Accounts enumeration

• SPF/DKIM issues

• Issues with no security impact

• Issues impacting protocols or software not developed nor maintained by Qwant

• Rate-limit issues

• Forms missing CSRF tokens

• Text injection

• Content spoofing

• Forms missing Catpcha

• Homograph attacks

• Bypasses of results filters

• Client-side Issues impacting specific browsers

• Any Adobe Flash / SWF related issues

• Account policies related issues (token expiration, reset link, password complexity)

• Self-exploitation

Update 07/11/2016

Non-qualifying issues additions

• += Rate-limit issues
• += Forms missing CSRF tokens
• += Text injection
• += Content spoofing
• += Forms missing Catpcha
• += Homograph attacks
• += Bypasses of results filters
• += Client-side Issues impacting specific browsers
• += Any Adobe Flash /SWF related issues
• += Account policies related issues (token expiration, reset link, password complexity)
• += Self-exploitation

Update 01/12/2016

Scope

• += noel.qwantjunior.com

Update 09/08/2017

Scope

• += Qwant InstantAnswers: https://github.com/qwant/instant-answers

Update 17/08/2017

• Minimum bounty reward increased to 100€

Update 12/06/2018

Scope
• += org.qwant.com

Update 15/05/2019

• Raise minimum reward

Update 16/01/2020

• -= org.qwant.com

reward grid

Qualification Score CVSS Bounty
None N/A No Bounty
Low 0.1 - 3.9 == 100€
Medium 4.0 - 6.9 <= 500€
High 7.0 - 8.9 <= 5 000€
Critical 9.0 - 10.0 <= 10 000 €

In Scope

Scope Type Scope Name
api

api.qwant.com

api

api-boards.qwant.com

web_application

www.qwant.com

web_application

boards.qwant.com

web_application

lite.qwant.com

web_application

s.qwant.com

web_application

s1.qwant.com

web_application

s2.qwant.com

web_application

s-boards.qwant.com

web_application

org.qwant.com

web_application

masq-ws.qwant.com

web_application

masq.qwant.com

web_application

qwantjunior.com

web_application

edu.qwantjunior.com


On this program you get up to 10000 € for the most critical vulnerability.

FireBounty © 2015-2024

Legal notices | Privacy policy