QwantQWANT is an European search engine that shows you the web in a different way. No tracking cookies, no filter bubble, no spying. Search free and take back your Internet privacy.

Rules

Program Ten commandments

•   First commandment:

We Qwant, reserve us the right to cancel this program at any time and the decision to pay a reward is entirely at our discretion.

•   Second commandment:

Thou shalt not disrupt any service or compromise personal data.

•   Third commandement:

Thou shalt not publicly disclose a bug before it has been fixed. Thou shalt also be the first person to responsibly disclose the bug.

•   Forth commandment:

Thou shalt not be an actual or a past employee of QWANT to join the program.

•   Fifth commandment:

Thou shalt not use bruteforcing or scanners tools nor performs Denial of Service tentatives on the platform.

•   Sixth commandment:

Thou shalt not violate any local, state, national or international law.

•   Seventh commandment:

Thou shalt stay in the defined scope.

•   Eighth commandment:

Thou shalt not perform physical attacks against Qwant's employees, offices or datacenter.

•   Ninth commandment:

Thou shalt have fun and drink some beers while snooping around for vulnerabilities.

•   Tenth commendment:

Thy participation to this program will constitute acceptance of these rules.

Any failure to comply with these rules will be sanctioned by the exclusion of the hunter from the bug-bounty program and even worse (legal pursuits, ...).

 

Rewards

Qwant will offer a minimum reward of 50€. There is no maximum reward as it will be determined by Qwant security team according to the level of criticity and impact of the reported vulnerability.

Any non-security related issue (bug, wrong interface/API behavior, ...) will not be eligible for a money reward and should be sent to https://www.qwant.com/contact.

 

Scope

•   www.qwant.com

•   api.qwant.com, api-boards.qwant.com

•   boards.qwant.com

•   lite.qwant.com

•   s.qwant.com, s1.qwant.com, s2.qwant.com, s-boards.qwant.com

•   www.qwantjunior.com, edu.qwantjunior.com

•   noel.qwantjunior.com

 

Qualifying vulnerabilities

•   Authentication bypass

•   User session compartmentalization issue

•   SQL / NoSQL injections

•   Remote code execution or information leakage through XML external entities

•   Reflected / persistent Cross-site scripting

•   Cross-site request forgery

•   Server-side request forgery

•   Remote code execution on Qwant servers through memory corruption, command injection or other exploitation technique

•   Any vulnerability in defined scope that could impact security of the platorm and its users

 

Non-qualifying issues

•   Issues outside of defined scope

•   Duplicate issue

•   CSRF in login or logout

•   Social engineering or shoulder-surfing on Qwant's employees

•   Security bugs in third-party websites that integrate with Qwant

•   Spam or exploit-kit in search results (URLs that bypasses Qwant's anti-malware solutions)

•   Password complexity or any other issue related to account or password policies

•   Missing/invalid HTTP headers

•   Cookie flags

•   Clickjacking

•   Denial of service

•   Results from pivoting or scanning internals systems

•   SSL/TLS issues

•   Accounts enumeration

•   SPF/DKIM issues

•   Issues with no security impact

•   Issues impacting protocols or software not developed nor maintained by Qwant

•   Rate-limit issues

•   Forms missing CSRF tokens

•   Text injection

•   Content spoofing

•   Forms missing Catpcha

•   Homograph attacks

•   Bypasses of results filters

•   Client-side Issues impacting specific browsers

•   Any Adobe Flash / SWF related issues

•   Account policies related issues (token expiration, reset link, password complexity)

•   Self-exploitation

Update 07/11/2016

Non-qualifying issues additions

•   += Rate-limit issues
•   += Forms missing CSRF tokens
•   += Text injection
•   += Content spoofing
•   += Forms missing Catpcha
•   += Homograph attacks
•   += Bypasses of results filters
•   += Client-side Issues impacting specific browsers
•   += Any Adobe Flash /SWF related issues
•   += Account policies related issues (token expiration, reset link, password complexity)
•   += Self-exploitation

Update 01/12/2016

Scope

•   += noel.qwantjunior.com

 

Hall Of Fame
Thanks to the following hunters for reporting important security issues.
  • BitK
    #1
  • SaxX
    #2
  • virtu
    #3
  • thomas__
    #4
  • onemore
    #5
  • Intrusio
    #6
  • PiX
    #7
  • ycam
    #8
  • dev2lead
    #9
  • cuirmousthack
    #10
  • jet
    #11
  • nj8
    #12
  • chak
    #13
  • bibo
    #14
  • pradeepch99
    #15
  • H1_hacker
    #16
  • Benjis
    #17
  • yeuchimse
    #18
  • tibounise
    #19
  • blue112
    #20
  • restricted
    #21
  • c0rte
    #22
  • sergeym
    #23
  • Sajibekanti
    #24
  • yassineaboukir
    #25
  • Gromak123
    #26
  • whitehat_hacker
    #27
  • dipak_das
    #28
  • Noobz
    #29
  • armaanpathan2
    #30
  • kotireddyaluri
    #31
  • faisal
    #32
  • itsmenaga
    #33
  • muhammadhammad
    #34
  • brdoors
    #35
  • kanwar
    #36
  • ketangodhani
    #37
  • LaLaKhan
    #38
  • itsaj3
    #39
  • Sappi
    #40
  • jayjpatel9717
    #41
  • remot3
    #42
  • fixit
    #43
  • roxenonxsc
    #44
  • suhas
    #45
  • osama12345
    #46
  • Peter-676
    #47
  • chemicheal27
    #48