Responsible Disclosure

Our Responsible Disclosure Policy

Quantstamp holds deeply the trust that our customers and business partners place in us. Therefore, the security of our platform is of utmost importance to us. If you are a security researcher and have discovered a security vulnerability in one of our services, products, programs, or protocols, we appreciate your help in disclosing it to us in a responsible manner. Quantstamp will engage with security researchers when potential vulnerabilities are reported to us in accordance with this policy. We will validate and remediate vulnerabilities in accordance with this policy. Quantstamp reserves all of its legal rights in the event of any noncompliance.

Reporting

Quantstamp runs a bug bounty program for many of our services, subject to modification or cancellation at our discretion from time to time. We encourage security researchers to share the details of any suspected vulnerabilities with us by sending an email to [email protected], which will be treated as Submissions via the Site. In reporting any suspected vulnerabilities via email or the Site, please include the following information:

• Detailed information with steps for us to reproduce the vulnerability
• Your email address
• Understand that all valid reports will be taken seriously by our engineering teams
• Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including Denial of Service)
• Comply with all applicable laws
  We will only reward the first report of a vulnerability. Public disclosure of the vulnerability prior to resolution may cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behaviour.
• We will not negotiate in response to duress or threats (e.g. we will not negotiate the payout amount under threat of withholding the vulnerability, or of releasing the vulnerability or any exposed data to the public).

Targets

In Scope

Out of Scope

The following issues are outside the scope of our rewards program:

• Account/e-mail enumeration using brute-force attacks
• Any low impact issues related to session management (i.e. concurrent sessions, session expiration, password reset/change logout, etc.)
• Bypassing content restrictions in uploading a file without proving the file was received
• Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including Denial of Service)
• Clickjacking/UI redressing
• Incomplete or missing SPF/DMARC/DKIM records
• Issues related to password/credential strength, length, lock outs, or lack of brute-force/rate limiting protections
• Lack of SSL or Mixed content
• Missing Cookie flags
• No Strict Transport Security (HSTS) headers set.
• Reflected file download attacks (RFD)
• Self-exploitation (i.e. password reset links or cookie reuse)
• URL Redirection
• Use of a known-vulnerable library which leads to a low-impact vulnerability (i.e. jQuery outdated version leads to low impact XSS)
• Vulnerabilities affecting users of outdated browsers, plugins or platforms
• Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected
• Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS)
• Google docs, outdated references, repository links, etc. referenced from static PDFs hosted on certificate.quantstamp.com

In addition, we count the following activities as strictly prohibited, and thus not rewardable:

• Social Engineering attacks
• DDoS
• Use of automated vulnerability / scanning tools