Return to homepage

Bug bounty

If you believe you may have found a security vulnerability in Quivre, please email me ASAP at with detailed steps to reproduce, and a clear description of any potential impact.

Please read this page carefully. Blatantly invalid reports may not get a response, thank you!

Responsible disclosure

I kindly request that during your research, you make every effort to strictly maintain the privacy and integrity of Quivre user data - and to avoid degrading Quivre's service.

Once you've reported an issue, please give me a reasonable amount of time to reply and to fix any reported vulnerabilities before making the issue public.

In exchange, I promise to investigate reports as quickly as I can - and I agree to not take any legal action against you for your research.

Reward for valid reports

Full credit for any discovery is of course yours (if you want it) in any public postmortem published after bugs have been fixed.

And as a gesture of appreciation for security research efforts, I'm offering a money reward for valid reports (see below).

IMPORTANT: valid report criteria

For a reward to be valid, it must satisfy ALL of the criteria below.

Please keep in mind that >99% of reports are little more than spam. Invalid reports that have not followed these instructions may not always get a response, thanks for understanding!

  1. IMPORTANT: The report must describe clear, practical steps that an attacker could take that lead to accessing private user data or accessing infrastructure systems. Example- Step 1: Attacker does X, Step 2: User does Y, ... Step N: Attacker now has access to user's private answers.
  2. Quivre codes are not private user data. Enumerating them does not qualify.
  3. Bugs that are not directly related to security do not qualify.
  4. Denial of Service (DoS) and social-engineering attacks do not qualify, and should please not be attempted.
  5. Disclosure of infrastructure software or software versions does not qualify.
  6. The contact page does not qualify. A rate and length limit is applied server-side. The lack of re/Captcha is intentional and not a security vulnerability.
  7. The lack of CSRF on logouts does not qualify. This is intentional, and not a security vulnerability.
  8. Any attack which requires access to a user's email account does not qualify.
  9. Quivre uses HTTPS, so any attack which requires man-in-the-middle access does not qualify.
  10. Quivre's domain does not have an MX record. This is intentional, not a security vulnerability, and does not qualify.
  11. You must be the first to report the bug, and you give me reasonable time to fix the issue before making it public.
  12. The reported bug must not depend on specific browser extensions, or exceedingly unlikely user interactions.
  13. The reported bug must not depend on unpatched, out-of-date, or exceedingly rare browsers or other client software.
  14. For your research, you use only test account/s that you own - and never interact with other accounts without the relevant account owners' explicit written consent.
  15. IMPORTANT: Please mention "Van Halen" in your report so that I know you've at least skimmed the text on this page, thanks! :-)
Some examples of relevant vulnerabilities:
  • Authentication, authorization, or session-management security vulnerabilities
  • Privilege escalation vulnerabilities
  • Remote code execution (RCE) vulnerabilities
  • Cross-site scripting (XSS) vulnerabilities
  • Cross-site request forgery (CSRF/XSRF) vulnerabilities

Ultimately it will be solely at my discretion which reports qualify for a monetary reward.

Qualifying reports will receive a minimum of €20 and a maximum of €200, determined solely at my discretion based on severity and the number of affected users.

Payments will be made by PayPal, and any taxes or other fees are solely the recipient's responsibility.

(Note: Quivre is currently a private side project for me, I'll try ramp up the rewards as I'm able to).

Bounty reward history

HazardExternal "_blank" links were vulnerable to "tabnabbing" in vulnerable browsers.2020-12-05<6 hours€30
Muskan ShaikhDuring sign-up, was possible to see if an email address was already registered.2020-11-08<2 hours€30
AnonymousHSTS was only being applied to main domain (, and not<3 hours€20
maSScanLogin rate limiter could be bypassed using null characters in username.2020-09-02<1 hour€30
Arjun SinghHTML injection vulnerability in private consent URL (not normally shared, so low practical significance).2020-06-26<48 hours€30
avnMissing Feature Policy HTTP header.2020-06-18<48 hours€30
Virendra TiwariTheoretical vulnerability against CVE-2013-3587.2020-04-27<17 hours€20
Virendra TiwariBack button could expose a user's Quivre code (but not answers) after logout.2019-10-22<4 hours€40
Amal ThambanTLS 1.0 (weak) supported for old browsers.2019-09-25<6 hours€20
Amal ThambanRisk of email spoofing (had SPF+DKIM but no DMARC).2019-09-23<6 hours€50
Ashik S NPractical HTML injection vulnerability in Quivre code links.2019-07-08<5 hours€50