Qwant QWANT is an European search engine that shows you the web in a different way. No tracking cookies, no filter bubble, no spying. Search free and take back your Internet privacy.

Informations

100€ Minimum bounty

Reports Accepted 171

Reward types : Bounty Gift Hall Of Fame

Rules

Program Ten commandments

• First commandment:

We Qwant, reserve us the right to cancel this program at any time and the decision to pay a reward is entirely at our discretion.

• Second commandment:

Thou shalt not disrupt any service or compromise personal data.

• Third commandement:

Thou shalt not publicly disclose a bug before it has been fixed. Thou shalt also be the first person to responsibly disclose the bug.

• Forth commandment:

Thou shalt not be an actual or a past employee of QWANT to join the program.

• Fifth commandment:

Thou shalt not use bruteforcing or scanners tools nor performs Denial of Service tentatives on the platform.

• Sixth commandment:

Thou shalt not violate any local, state, national or international law.

• Seventh commandment:

Thou shalt stay in the defined scope.

• Eighth commandment:

Thou shalt not perform physical attacks against Qwant's employees, offices or datacenter.

• Ninth commandment:

Thou shalt have fun and drink some beers while snooping around for vulnerabilities.

• Tenth commendment:

Thy participation to this program will constitute acceptance of these rules.

Any failure to comply with these rules will be sanctioned by the exclusion of the hunter from the bug-bounty program and even worse (legal pursuits, ...).

Rewards

Qwant will offer a minimum reward of 100€. There is no maximum reward as it will be determined by Qwant security team according to the level of criticity and impact of the reported vulnerability.

Any non-security related issue (bug, wrong interface/API behavior, ...) will not be eligible for a money reward and should be sent to https://www.qwant.com/contact.

Scope

• www.qwant.com

• api.qwant.com, api-boards.qwant.com

• boards.qwant.com

• lite.qwant.com

• s.qwant.com, s1.qwant.com, s2.qwant.com, s-boards.qwant.com

• www.qwantjunior.com, edu.qwantjunior.com

• noel.qwantjunior.com

• Qwant InstantAnswers: https://github.com/qwant/instant-answers

Qualifying vulnerabilities

• Authentication bypass

• User session compartmentalization issue

• SQL / NoSQL injections

• Remote code execution or information leakage through XML external entities

• Reflected / persistent Cross-site scripting

• Cross-site request forgery

• Server-side request forgery

• Remote code execution on Qwant servers through memory corruption, command injection or other exploitation technique

• Any vulnerability in defined scope that could impact security of the platorm and its users

Non-qualifying issues

• Issues outside of defined scope

• Duplicate issue

• CSRF in login or logout

• Social engineering or shoulder-surfing on Qwant's employees

• Security bugs in third-party websites that integrate with Qwant

• Spam or exploit-kit in search results (URLs that bypasses Qwant's anti-malware solutions)

• Password complexity or any other issue related to account or password policies

• Missing/invalid HTTP headers

• Cookie flags

• Clickjacking

• Denial of service

• Results from pivoting or scanning internals systems

• SSL/TLS issues

• Accounts enumeration

• SPF/DKIM issues

• Issues with no security impact

• Issues impacting protocols or software not developed nor maintained by Qwant

• Rate-limit issues

• Forms missing CSRF tokens

• Text injection

• Content spoofing

• Forms missing Catpcha

• Homograph attacks

• Bypasses of results filters

• Client-side Issues impacting specific browsers

• Any Adobe Flash / SWF related issues

• Account policies related issues (token expiration, reset link, password complexity)

• Self-exploitation

Update 07/11/2016

Non-qualifying issues additions

• += Rate-limit issues
• += Forms missing CSRF tokens
• += Text injection
• += Content spoofing
• += Forms missing Catpcha
• += Homograph attacks
• += Bypasses of results filters
• += Client-side Issues impacting specific browsers
• += Any Adobe Flash /SWF related issues
• += Account policies related issues (token expiration, reset link, password complexity)
• += Self-exploitation

Update 01/12/2016

Scope

• += noel.qwantjunior.com

Update 09/08/2017

Scope

• += Qwant InstantAnswers: https://github.com/qwant/instant-answers

Update 17/08/2017

• Minimum bounty reward increased to 100€

Update 12/06/2018

reward grid

Qualification Score CVSS Bounty
None N/A No Bounty
Low 0.1 - 3.9 == 100€
Medium 4.0 - 6.9 <= 500€
High 7.0 - 8.9 <= 5 000€
Critical 9.0 - 10.0 <= 10 000 €
Hall Of Fame
Thanks to the following hunters for reporting important security issues.
  • BitK
    #1
  • thomas__
    #2
  • onemore
    #3
  • Rbcafe
    #4
  • SaxX
    #5
  • virtu
    #6
  • lolwut
    #7
  • Intrusio
    #8
  • zoug
    #9
  • pyrk2142
    #10
  • Spi3erDo4KeR
    #11
  • yeuchimse
    #12
  • PiX
    #13
  • bibo
    #14
  • hussein98d
    #15
  • zeeshan
    #16
  • ifrahiman
    #17
  • ycam
    #18
  • Akaash
    #19
  • jet
    #20
  • dev2lead
    #21
  • c0rte
    #22
  • cuirmousthack
    #23
  • Root0401
    #24
  • jtof_fap
    #25
  • harisec
    #26
  • pent3st3r
    #27
  • mefkan
    #28
  • sreeju_kc
    #29
  • nj8
    #30
  • rebooteux
    #31
  • roxenonxsc
    #32
  • ronygigi
    #33
  • BZHash
    #34
  • Benjis
    #35
  • imad1273
    #36
  • mdisec
    #37
  • parablack
    #38
  • Spade
    #39
  • pve
    #40
  • pradeepch99
    #41
  • JihadX92
    #42
  • cendere
    #43
  • tvmpt
    #44
  • H1_hacker
    #45
  • alirazzaq
    #46
  • tibounise
    #47
  • Ahtisham
    #48
  • JAIMAADURGA
    #49
  • abhishek8298
    #50
  • sweetu
    #51
  • Rahul
    #52
  • blue112
    #53
  • Ader1000
    #54
  • restricted
    #55
  • sergeym
    #56
  • EmperorEye
    #57
  • QasimMunir
    #58
  • Abhijeet0014
    #59
  • jensec
    #60
  • peyothl
    #61
  • vyshnav
    #62
  • Sajibekanti
    #63
  • Kilawyn
    #64
  • jatinsinghla
    #65
  • decentguy
    #66
  • Ananthakrishnan
    #67
  • Gromak123
    #68
  • yassineaboukir
    #69
  • akash
    #70
  • MBOZAN
    #71
  • batutahibnu17
    #72
  • Lucas01120
    #73
  • Ridoyp99
    #74
  • dipak_das
    #75
  • Noobz
    #76
  • armaanpathan2
    #77
  • kotireddyaluri
    #78
  • faisal
    #79
  • r00t1337
    #80
  • joker2a
    #81
  • shadow75
    #82
  • whitehat_hacker
    #83
  • itsaj3
    #84
  • Sappi
    #85
  • jayjpatel9717
    #86
  • remot3
    #87
  • fixit
    #88
  • insane_pranj
    #89
  • hari_krishnan
    #90
  • suhas
    #91
  • DreadPirateRobertt
    #92
  • osama12345
    #93
  • 0xMitsurugi
    #94
  • kurdoo
    #95
  • Peter-676
    #96
  • chemicheal27
    #97
  • Bijan_xd
    #98
  • itsmenaga
    #99
  • muhammadhammad
    #100
  • brdoors
    #101
  • kanwar
    #102
  • TST
    #103
  • ketangodhani
    #104
  • LaLaKhan
    #105
  • veeboy
    #106
  • Rey_7
    #107
  • curious_kid
    #108
  • mohamedSayed
    #109
  • webtrack
    #110
  • pratikluhana
    #111
  • bountyfactory2
    #112
  • ab310
    #113
  • Mearafat
    #114
  • attacker007
    #115