Bug bounty

Responsible disclosure

I kindly request that during your research, you make every effort to strictly maintain the privacy and integrity of Quivre user data - and to avoid degrading Quivre's service.

Once you've reported an issue, please give me a reasonable amount of time to reply and to fix any reported vulnerabilities before making the issue public.

In exchange, I promise to investigate reports as quickly as I can - and I agree to not take any legal action against you for your research.

Reward for valid reports

Full credit for any discovery is of course yours (if you want it) in any public postmortem published after bugs have been fixed.

And as a gesture of appreciation for security research efforts, I'm offering a money reward for valid reports (see below).

IMPORTANT: valid report criteria

For a reward to be valid, it must satisfy ALL of the criteria below.

Please keep in mind that >99% of reports are little more than spam. Invalid reports that have not followed these instructions may not always get a response, thanks for understanding!

1. IMPORTANT: The report must describe clear, practical steps that an attacker could take that lead to accessing private user data or accessing infrastructure systems. Example- Step 1: Attacker does X, Step 2: User does Y, ... Step N: Attacker now has access to user's private answers.
2. Quivre codes are not private user data. Enumerating them does not qualify.
3. Bugs that are not directly related to security do not qualify.
4. Denial of Service (DoS) and social-engineering attacks do not qualify, and should please not be attempted.
5. Disclosure of infrastructure software or software versions does not qualify.
6. The contact page does not qualify. A rate and length limit is applied server-side. The lack of re/Captcha is intentional and not a security vulnerability.
7. The lack of CSRF on logouts does not qualify. This is intentional, and not a security vulnerability.
8. Any attack which requires access to a user's email account does not qualify.
9. Quivre uses HTTPS, so any attack which requires man-in-the-middle access does not qualify.
10. Quivre's domain does not have an MX record. This is intentional, not a security vulnerability, and does not qualify.
11. You must be the first to report the bug, and you give me reasonable time to fix the issue before making it public.
12. The reported bug must not depend on specific browser extensions, or exceedingly unlikely user interactions.
13. The reported bug must not depend on unpatched, out-of-date, or exceedingly rare browsers or other client software.
14. For your research, you use only test account/s that you own - and never interact with other accounts without the relevant account owners' explicit written consent.
15. IMPORTANT: Please mention "Van Halen" in your report so that I know you've at least skimmed the text on this page, thanks! :-)

• Authentication, authorization, or session-management security vulnerabilities
• Privilege escalation vulnerabilities
• Remote code execution (RCE) vulnerabilities
• Cross-site scripting (XSS) vulnerabilities
• Cross-site request forgery (CSRF/XSRF) vulnerabilities

Ultimately it will be solely at my discretion which reports qualify for a monetary reward.

Qualifying reports will receive a minimum of €20 and a maximum of €200, determined solely at my discretion based on severity and the number of affected users.

Payments will be made by PayPal, and any taxes or other fees are solely the recipient's responsibility.

(Note: Quivre is currently a private side project for me, I'll try ramp up the rewards as I'm able to).