[{"id":3754660,"new_policy":"## Update Highlights: [Poe.com](http://poe.com/)\n\nWe highly encourage all researchers who are interested in AI products to test it and help us maintain the highest possible levels of security for our users.\n\n## Introduction\n\nWe are committed to the safety and security of users on both Quora and Poe. To recognize the importance of independent security researchers who help keep our platforms secure, we offer the following bug bounty program to reward the reporting of certain qualifying security vulnerabilities. Please make sure you review the following information before reporting a vulnerability. We welcome your feedback at ([hackerone@quora.com](mailto:hackerone@quora.com)) as we continue to improve our bug bounty programs.\n\nBy participating in these programs, you agree to the following rules described below.\n\n# Program Rules\n\n- Our rewards are based on the impact of a vulnerability and how we classify the severity of bugs. For more details, please see Issue Severity below. While CVSS calculator can be useful to get an assumption of the severity we can’t guarantee that our assessment will match its results.\n- When duplicates occur, we award the first report that we can completely reproduce.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Amounts below are the maximum we will pay per category. We aim to be fair, but all reward amounts are at our discretion.\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n- Follow HackerOne's disclosure guidelines here: https://www.hackerone.com/disclosure-guidelines.\n- Localize all your tests to the accounts you are using to test so you don’t affect other users.\n- Automated security testing against the site or APIs are not allowed.\n- Vulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n- Report product-related issues by following the instructions https://www.quora.com/How-can-I-report-a-bug-on-Quora.\n- Employees and contractors who have worked for Quora in the last 6 months are not eligible for a bounty.\n\n# Focus Areas\n\n- Currently we’re focused on critical vulnerabilities and personal data leaks\n- [poe.com](http://poe.com/)\n    - Android, iOS, web, and desktop apps (MacOS/Windows) are all included\n    - User information, PII, Poe account information\n    - bot chats\n    - poe subscriptions\n    - IDOR\n\n# Issue Severity\n\n### Critical severity bugs\n\nVulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc.\n\nExamples:\n\n- Remote Code Execution\n- Remote Shell/Command Execution\n- SQL Injection that leaks targeted data\n- Vulnerabilities in access control to our AWS resources\n- Misconfigured firewall in our AWS environment\n- **Jailbreaking poe server sandbox**\n\n### High severity bugs\n\nVulnerabilities that affect the security of the platform including the processes it supports.\n\nExamples:\n\n- Lateral movement\n- Authentication bypass\n- Stored XSS for another user\n- Local file inclusion\n- Insecure handling of authentication cookies\n- **PII leakage through Poe Protocol**\n\n### Medium severity bugs\n\nVulnerabilities that affect multiple users, and require little or no user interaction to trigger.\n\nExamples:\n\n- Reflective XSS\n- Insecure Direct Object References\n\n### Low severity bugs\n\nIssues that affect singular users and require interaction or significant prerequisites (MitM) to trigger.\n\nExamples:\n\n- Information leaks\n\n# Exclusions\n\nThe following bugs are unlikely to be eligible for a bounty:\n\n- Missing HTTP security headers, like:\n    - Strict-Transport-Security\n    - X-Frame-Options\n    - X-XSS-Protection\n- Non-existent or weak captcha / captcha bypass\n- Brute-forcing, lack of rate limits, or the ability to bypass rate limits, unless there is a demonstrable security impact\n- Lack of binary protection or obfuscation of the mobile app\n- Lack of SSL certificate pinning in mobile apps\n- Lack of jailbreak detection\n- Non-sensitive user data stored unencrypted on external storage by the mobile app\n- Blind SSRF\n- Any CSRF that can’t trigger state change to the user’s account\n- Vulnerabilities that require physical access to the device, email address or related oauth account compromised (facebook, google)\n- Phishing/spam attacks against users on the platform or Quora employees, and other findings derived from social engineering\n- Self-XSS\n- Tapjacking on mobile app\n- DoS\n- Crashes of the mobile app due to malformed URL schemes or intents\n- quora.com/cdn-cgi/, [poe.com](http://poe.com)/cdn-cgi/ endpoints as they are managed by cloudflare\n- Brute-forcing email enumeration\n\n# Exclusions for [Quora.com](http://quora.com/)\n\n- Our Help Site ([https://help.quora.com](https://help.quora.com/hc/en-us)) is run by a third party is therefore excluded from the bounty program.\n- Our Careers Site (https://www.careers.quora.com/) is run by a third party is therefore excluded from the bounty program.\n- Our Business Site ([https://business.quora.com/](http://business.quora.com/)) is run by a third party is therefore excluded from the bounty program.\n- Race conditions bypassing product usage limits such as\n    - voting, spam reports, thanking, space urls/names\n- Paywalled content. Quora+ content is out of scope for the program.\n- Space invite links\n\n# Exclusions for [Poe.com](http://poe.com/)\n\n- Bot Hallucinations: As testing AI is tricky make sure results from bots are real findings and not bot Hallucinations.\n- Unofficial bots: As bots are created by third parties we will only triage official bots.\n    - This is the list of official bots to test: https://poe.com/explore?category=Official\n- Help Site ([https://help.poe.com/](https://help.poe.com/hc/en-us/requests/new))\n\n# Additional Terms \u0026 Safe Harbor\n\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease note we do not reimburse independent security researchers for the cost of any subscriptions.\n\nThank you for helping keep Quora and Poe users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-04-30T19:23:46.309Z"},{"id":3735024,"new_policy":"# Update Highlights: [Poe.com](http://poe.com/)\n\nWe highly encourage all researchers who are interested in AI products to test it and help us maintain the highest possible levels of security for our users.\n\n# Introduction\n\nWe are committed to the safety and security of users on both Quora and Poe. To recognize the importance of independent security researchers who help keep our platforms secure, we offer the following bug bounty program to reward the reporting of certain qualifying security vulnerabilities. Please make sure you review the following information before reporting a vulnerability. We welcome your feedback at ([hackerone@quora.com](mailto:hackerone@quora.com)) as we continue to improve our bug bounty programs.\n\nBy participating in these programs, you agree to the following rules described below.\n\n# Program Rules\n\n- Our rewards are based on the impact of a vulnerability and how we classify the severity of bugs. For more details, please see Issue Severity below. While CVSS calculator can be useful to get an assumption of the severity we can’t guarantee that our assessment will match its results.\n- When duplicates occur, we award the first report that we can completely reproduce.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Amounts below are the maximum we will pay per category. We aim to be fair, but all reward amounts are at our discretion.\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n- Follow HackerOne's disclosure guidelines here: https://www.hackerone.com/disclosure-guidelines.\n- Localize all your tests to the accounts you are using to test so you don’t affect other users.\n- Automated security testing against the site or APIs are not allowed.\n- Vulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n- Report product-related issues by following the instructions https://www.quora.com/How-can-I-report-a-bug-on-Quora.\n- Employees and contractors who have worked for Quora in the last 6 months are not eligible for a bounty.\n\n# Focus Areas\n\n- Currently we’re focused on critical vulnerabilities and personal data leaks\n- [poe.com](http://poe.com/)\n    - Android, iOS, web, and desktop apps (MacOS/Windows) are all included\n    - User information, PII, Poe account information\n    - bot chats\n    - poe subscriptions\n    - IDOR\n\n# Issue Severity\n\n## Critical severity bugs\n\nVulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc.\n\nExamples:\n\n- Remote Code Execution\n- Remote Shell/Command Execution\n- Vertical Authentication bypass\n- SQL Injection that leaks targeted data\n- Vulnerabilities in access control to our AWS resources\n- Misconfigured firewall in our AWS environment\n\n## High severity bugs\n\nVulnerabilities that affect the security of the platform including the processes it supports.\n\nExamples:\n\n- Lateral movement\n- Authentication bypass\n- Stored XSS for another user\n- Local file inclusion\n- Insecure handling of authentication cookies\n\n## Medium severity bugs\n\nVulnerabilities that affect multiple users, and require little or no user interaction to trigger.\n\nExamples:\n\n- Reflective XSS\n- Insecure Direct Object References\n\n## Low severity bugs\n\nIssues that affect singular users and require interaction or significant prerequisites (MitM) to trigger.\n\nExamples:\n\n- Information leaks\n\n# Exclusions for [Quora.com](http://quora.com/)\n\nThe following bugs are unlikely to be eligible for a bounty:\n\n- Missing HTTP security headers, like:\n    - Strict-Transport-Security\n    - X-Frame-Options\n    - X-XSS-Protection\n- Non-existent or weak captcha / captcha bypass\n- Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n- Lack of enforcement of certain product feature usage limits, such as the number of A2As\n- Lack of binary protection or obfuscation of the mobile app\n- Non-sensitive user data stored unencrypted on external storage by the mobile app\n- Crashes of the mobile app due to malformed URL schemes or intents\n- Vulnerabilities that require physical access to the device\n- Any CSRF\n- Blind SSRF\n- Phishing/spam attacks against users on the platform or Quora employees, and other findings derived from social engineering\n- Our Help Site ([https://help.quora.com](https://help.quora.com/hc/en-us)) is run by a third party is therefore excluded from the bounty program.\n- Our Careers Site (https://www.careers.quora.com/) is run by a third party is therefore excluded from the bounty program.\n- Our Business Site ([https://business.quora.com/](http://business.quora.com/)) is run by a third party is therefore excluded from the bounty program.\n- Self-XSS\n- Bruteforcing, lack of rate limits, or the ability to bypass rate limits, unless there is a demonstrable impact\n- Race conditions to increase voting and/or spam reports\n- Paywalled content. Quora+ content is out of scope for the program.\n- Tapjacking on mobile app\n- Session fixation issues\n- DoS\n\n# Exclusions for [Poe.com](http://poe.com/)\n\n- Missing HTTP security headers, like:\n    - Strict-Transport-Security\n    - X-Frame-Options\n    - X-XSS-Protection\n- Non-existent or weak captcha / captcha bypass\n- Login page brute-forcing, and account lockout not being enforced\n- Crashes of the mobile app due to malformed URL schemes or intents\n- Vulnerabilities that require physical access to the device\n- Any CSRF\n- Blind SSRF\n- Phishing/spam attacks against users on the platform or employees, and other findings derived from social engineering\n- Tapjacking on mobile app\n- DoS\n- Lack of SSL certificate pinning in mobile apps\n- Lack of jailbreak detection\n- Bot Hallucinations: As testing AI is tricky make sure results from bots are real findings and not bot Hallucinations.\n- Unofficial bots: As bots are created by third parties we will only triage official bots.\n    - This is the list of official bots to test: https://poe.com/explore?category=Official\n- Help Site (https://help.poe.com/)\n\n# Additional Terms \u0026 Safe Harbor\n\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease note we do not reimburse independent security researchers for the cost of any subscriptions.\n\nThank you for helping keep Quora and Poe users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-08-04T15:00:27.875Z"},{"id":3734154,"new_policy":"# Update Highlights: [Poe.com](http://poe.com/)\n\nWe highly encourage all researchers who are interested in AI products to test it and help us maintain the highest possible levels of security for our users.\n\n# Introduction\n\nWe are committed to the safety and security of users on both Quora and Poe. To recognize the importance of independent security researchers who help keep our platforms secure, we offer the following bug bounty program to reward the reporting of certain qualifying security vulnerabilities. Please make sure you review the following information before reporting a vulnerability. We welcome your feedback at ([hackerone@quora.com](mailto:hackerone@quora.com)) as we continue to improve our bug bounty programs.\n\nBy participating in these programs, you agree to the following rules described below.\n\n# Program Rules\n\n- Our rewards are based on the impact of a vulnerability and how we classify the severity of bugs. For more details, please see Issue Severity below. While CVSS calculator can be useful to get an assumption of the severity we can’t guarantee that our assessment will match its results.\n- When duplicates occur, we award the first report that we can completely reproduce.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Amounts below are the maximum we will pay per category. We aim to be fair, but all reward amounts are at our discretion.\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n- Follow HackerOne's disclosure guidelines here: https://www.hackerone.com/disclosure-guidelines.\n- Localize all your tests to the accounts you are using to test so you don’t affect other users.\n- Automated security testing against the site or APIs are not allowed.\n- Vulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n- Report product-related issues by following the instructions https://www.quora.com/How-can-I-report-a-bug-on-Quora.\n- Employees and contractors who have worked for Quora in the last 6 months are not eligible for a bounty.\n\n# Focus Areas\n\n- Currently we’re focused on critical vulnerabilities and personal data leaks\n- [poe.com](http://poe.com/)\n    - Android, iOS, web, and desktop apps (MacOS/Windows) are all included\n    - User information, PII, Poe account information\n    - bot chats\n    - poe subscriptions\n    - IDOR\n\n# Issue Severity\n\n## Critical severity bugs\n\nVulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc.\n\nExamples:\n\n- Remote Code Execution\n- Remote Shell/Command Execution\n- Vertical Authentication bypass\n- SQL Injection that leaks targeted data\n- Vulnerabilities in access control to our AWS resources\n- Misconfigured firewall in our AWS environment\n\n## High severity bugs\n\nVulnerabilities that affect the security of the platform including the processes it supports.\n\nExamples:\n\n- Lateral movement\n- Authentication bypass\n- Stored XSS for another user\n- Local file inclusion\n- Insecure handling of authentication cookies\n\n## Medium severity bugs\n\nVulnerabilities that affect multiple users, and require little or no user interaction to trigger.\n\nExamples:\n\n- Reflective XSS\n- Insecure Direct Object References\n\n## Low severity bugs\n\nIssues that affect singular users and require interaction or significant prerequisites (MitM) to trigger.\n\nExamples:\n\n- Information leaks\n\n# Exclusions for [Quora.com](http://quora.com/)\n\nThe following bugs are unlikely to be eligible for a bounty:\n\n- Missing HTTP security headers, like:\n    - Strict-Transport-Security\n    - X-Frame-Options\n    - X-XSS-Protection\n- Non-existent or weak captcha / captcha bypass\n- Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n- Lack of enforcement of certain product feature usage limits, such as the number of A2As\n- Lack of binary protection or obfuscation of the mobile app\n- Non-sensitive user data stored unencrypted on external storage by the mobile app\n- Crashes of the mobile app due to malformed URL schemes or intents\n- Vulnerabilities that require physical access to the device\n- Any CSRF\n- Blind SSRF\n- Phishing/spam attacks against users on the platform or Quora employees, and other findings derived from social engineering\n- Our Help Site ([https://help.quora.com](https://help.quora.com/hc/en-us)) is run by a third party is therefore excluded from the bounty program.\n- Our Careers Site (https://www.careers.quora.com/) is run by a third party is therefore excluded from the bounty program.\n- Our Business Site ([https://business.quora.com/](http://business.quora.com/)) is run by a third party is therefore excluded from the bounty program.\n- Self-XSS\n- Bruteforcing, lack of rate limits, or the ability to bypass rate limits, unless there is a demonstrable impact\n- Race conditions to increase voting and/or spam reports\n- Paywalled content. Quora+ content is out of scope for the program.\n- Tapjacking on mobile app\n- Session fixation issues\n- DoS\n\n# Exclusions for [Poe.com](http://poe.com/)\n\n- Missing HTTP security headers, like:\n    - Strict-Transport-Security\n    - X-Frame-Options\n    - X-XSS-Protection\n- Non-existent or weak captcha / captcha bypass\n- Login page brute-forcing, and account lockout not being enforced\n- Crashes of the mobile app due to malformed URL schemes or intents\n- Vulnerabilities that require physical access to the device\n- Any CSRF\n- Blind SSRF\n- Phishing/spam attacks against users on the platform or employees, and other findings derived from social engineering\n- Tapjacking on mobile app\n- DoS\n- Lack of SSL certificate pinning in mobile apps\n- Lack of jailbreak detection\n- Bot Hallucinations: As testing AI is tricky make sure results from bots are real findings and not bot Hallucinations.\n- Unofficial bots: As bots are created by third parties we will only triage official bots.\n    - This is the list of official bots to test: https://poe.com/explore?category=Official\n- Help Site (https://help.poe.com/hc/en-us/requests/new)\n\n# Additional Terms \u0026 Safe Harbor\n\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease note we do not reimburse independent security researchers for the cost of any subscriptions.\n\nThank you for helping keep Quora and Poe users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-27T01:21:32.557Z"},{"id":3656254,"new_policy":"# Introduction\n\nQuora is committed to the safety and security of users on Quora. To recognize the importance of independent security researchers in keeping Quora safe, we offer the following bug bounty program to reward the reporting of certain qualifying security vulnerabilities. Please make sure you review the following information before you report a vulnerability. By participating in this program, you agree to be bound by the following information.\n\n# Program Rules\n\n* Our rewards are based on the impact of a vulnerability and how we classify the severity of bugs. For more details, please see Issue Severity below. \n* When duplicates occur, we award the first report that we can completely reproduce.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Amounts below are the maximum we will pay per category. We aim to be fair, but all reward amounts are at our discretion.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* Follow HackerOne's [disclosure guidelines] (https://www.hackerone.com/disclosure-guidelines).\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Automated security testing against the site or APIs are not allowed.\n* Vulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n* Report product-related issues by following the instructions [here] (https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n* We welcome your feedback so we can continue to improve our bug bounty program.\n\n# Focus Areas\n\nCurrently, we are focused on critical security vulnerabilities, Spaces, and subscriptions. For more information on what types of bugs qualify as critical security vulnerabilities, please see below. \n\nFor Spaces, examples of bugs we are looking for include:\n\n* Vertical authentication bypass\n* Lateral authentication bypass\n* Information leaks\n* XSS\n\nFor subscriptions, examples of bugs we are looking for include:\n* complete access of paywalled content in Quora+ and Space subscriptions; and\n* unauthorized engagement with paywalled content, such as answering, commenting, and voting.\n\n# Issue Severity\n\n#### Critical severity bugs\n\nVulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. \n\nExamples:\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n* Vulnerabilities in access control to our AWS resources\n* Misconfigured firewall in our AWS environment\n* Anonymity-related bugs\n\n#### High severity bugs\n\nVulnerabilities that affect the security of the platform including the processes it supports. \n\nExamples:\n* Lateral authentication bypass\n* Stored XSS for another user\n* Local file inclusion\n* Insecure handling of authentication cookies\n\n#### Medium severity bugs\n\nVulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n* Reflective XSS\n* Insecure Direct Object References\n\n#### Low severity bugs\n\nIssues that affect singular users and require interaction or significant prerequisites (MitM) to trigger. \n\nExamples:\n* Self-XSS\n* Information leaks\n\n# Exclusions\nThe following bugs are unlikely to be eligible for a bounty:\n* Missing HTTP security headers, like:\n  * Strict-Transport-Security\n  * X-Frame-Options\n  * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents\n* Vulnerabilities that require physical access to the device\n* Any CSRF\n* Blind SSRF\n* Phishing/spam attacks against users on the platform, and other findings derived from social engineering\n* Misconfiguration in SPF/DKIM records\n* Our [Challenges site] (https://www.quora.com/about/challenges/) is run by HackerRank is therefore excluded from the bounty program.\n* Linked Social Account Login\n\n# Additional Terms \u0026 Safe Harbor\n\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease note we do not reimburse independent security researchers for the cost of any subscriptions.\n\nThank you for helping keep Quora and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-08-05T16:25:12.270Z"},{"id":3639929,"new_policy":"# Introduction\n\nQuora is committed to the safety and security of users on Quora. To recognize the importance of independent security researchers in keeping Quora safe, we offer the following bug bounty program to reward the reporting of certain qualifying security vulnerabilities. Please make sure you review the following information before you report a vulnerability. By participating in this program, you agree to be bound by the following information.\n\n# Program Rules\n\n* Our rewards are based on the impact of a vulnerability and how we classify the severity of bugs. For more details, please see Issue Severity below. \n* When duplicates occur, we award the first report that we can completely reproduce.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Amounts below are the maximum we will pay per category. We aim to be fair, but all reward amounts are at our discretion.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* Follow HackerOne's [disclosure guidelines] (https://www.hackerone.com/disclosure-guidelines).\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Automated security testing against the site or APIs are not allowed.\n* Vulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n* Report product-related issues by following the instructions [here] (https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n* We welcome your feedback so we can continue to improve our bug bounty program.\n\n# Focus Areas\n\nCurrently, we are focused on Spaces and critical security vulnerabilities. For more information on what types of bugs qualify as critical security vulnerabilities, please see below. For Spaces, examples of bugs we are looking for include:\n\n* Vertical authentication bypass\n* Lateral authentication bypass\n* Information leaks\n* XSS\n\n# Issue Severity\n\n#### Critical severity bugs\n\nVulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples:\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n* Vulnerabilities in access control to our AWS resources\n* Misconfigured firewall in our AWS environment\n* Anonymity-related bugs\n\n#### High severity bugs\n\nVulnerabilities that affect the security of the platform including the processes it supports. Examples:\n* Lateral authentication bypass\n* Stored XSS for another user\n* Local file inclusion\n* Insecure handling of authentication cookies\n\n#### Medium severity bugs\n\nVulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n* Reflective XSS\n* Insecure Direct Object References\n\n#### Low severity bugs\n\nIssues that affect singular users and require interaction or significant prerequisites (MitM) to trigger. Examples:\n* Self-XSS\n* Information leaks\n\n# Exclusions\nThe following bugs are unlikely to be eligible for a bounty:\n* Missing HTTP security headers, like:\n  * Strict-Transport-Security\n  * X-Frame-Options\n  * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents\n* Vulnerabilities that require physical access to the device\n* Any CSRF\n* Blind SSRF\n* Phishing/spam attacks against users on the platform, and other findings derived from social engineering\n* Misconfiguration in SPF/DKIM records\n* Our [Challenges site] (https://www.quora.com/about/challenges/) is run by HackerRank is therefore excluded from the bounty program.\nLinked Social Account Login\n\n# Additional Terms \u0026 Safe Harbor\n\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Quora and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-21T18:45:38.847Z"},{"id":3639802,"new_policy":"# Introduction\n\nQuora is committed to the safety and security of users on Quora. To recognize the importance of independent security researchers in keeping Quora safe, we offer the following bug bounty program to reward the reporting of certain qualifying security vulnerabilities. Please make sure you review the following information before you report a vulnerability. By participating in this program, you agree to be bound by the following information.\n\n# Program Rules\n\n* Our rewards are based on the impact of a vulnerability and how we classify the severity of bugs. For more details, please see Issue Severity below. \n* When duplicates occur, we award the first report that we can completely reproduce.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Amounts below are the maximum we will pay per category. We aim to be fair, but all reward amounts are at our discretion.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* Follow HackerOne's [disclosure guidelines] (https://www.hackerone.com/disclosure-guidelines).\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Automated security testing against the site or APIs are not allowed.\n* Vulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n* Report product-related issues by following the instructions [here] (https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n* We welcome your feedback so we can continue to improve our bug bounty program.\n\n# Focus Areas\n\nCurrently, we are focused on Spaces and critical security vulnerabilities. For more information on what types of bugs qualify as critical security vulnerabilities, please see below. For Spaces, examples of bugs we are looking for include:\n\n* Vertical authentication bypass\n* Lateral authentication bypass\n* Information leaks\n* XSS\n\n# Issue Severity\n\n#### Critical severity bugs\n\nVulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples:\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n* Vulnerabilities in access control to our AWS resources\n* Misconfigured firewall in our AWS environment\n* Anonymity-related bugs\n\n#### High severity bugs\n\nVulnerabilities that affect the security of the platform including the processes it supports. Examples:\n* Lateral authentication bypass\n* Stored XSS for another user\n* Local file inclusion\n* Insecure handling of authentication cookies\n\n#### Medium severity bugs\n\nVulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n* Reflective XSS\n* Insecure Direct Object References\n\n#### Low severity bugs\n\nIssues that affect singular users and require interaction or significant prerequisites (MitM) to trigger. Examples:\n* Self-XSS\n* Information leaks\n\n# Exclusions\nThe following bugs are unlikely to be eligible for a bounty:\n* Missing HTTP security headers, like:\n  * Strict-Transport-Security\n  * X-Frame-Options\n  * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents\n* Vulnerabilities that require physical access to the device\n* Any CSRF\n* Phishing/spam attacks against users on the platform, and other findings derived from social engineering\n* Misconfiguration in SPF/DKIM records\n* Our [Challenges site] (https://www.quora.com/about/challenges/) is run by HackerRank is therefore excluded from the bounty program.\nLinked Social Account Login\n\n# Additional Terms \u0026 Safe Harbor\n\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Quora and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-20T17:22:55.916Z"},{"id":3639798,"new_policy":"# Introduction\n\nQuora is committed to the safety and security of users on Quora. To recognize the importance of independent security researchers in keeping Quora safe, we offer the following bug bounty program to reward the reporting of certain qualifying security vulnerabilities. Please make sure you review the following information before you report a vulnerability. By participating in this program, you agree to be bound by the following information.\n\n#### Program Rules\n\n* Our rewards are based on the impact of a vulnerability and how we classify the severity of bugs. For more details, please see Issue Severity below. \n* When duplicates occur, we award the first report that we can completely reproduce.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Amounts below are the maximum we will pay per category. We aim to be fair, but all reward amounts are at our discretion.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* Follow HackerOne's [disclosure guidelines] (https://www.hackerone.com/disclosure-guidelines).\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Automated security testing against the site or APIs are not allowed.\n* Vulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n* Report product-related issues by following the instructions [here] (https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n* We welcome your feedback so we can continue to improve our bug bounty program.\n\n# Focus Areas\n\nCurrently, we are focused on Spaces and critical security vulnerabilities. For more information on what types of bugs qualify as critical security vulnerabilities, please see below. For Spaces, examples of bugs we are looking for include:\n\n* Vertical authentication bypass\n* Lateral authentication bypass\n* Information leaks\n* XSS\n\n# Issue Severity\n\n#### Critical severity bugs\n\nVulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples:\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n* Vulnerabilities in access control to our AWS resources\n* Misconfigured firewall in our AWS environment\n* Anonymity-related bugs\n\n#### High severity bugs\n\nVulnerabilities that affect the security of the platform including the processes it supports. Examples:\n* Lateral authentication bypass\n* Stored XSS for another user\n* Local file inclusion\n* Insecure handling of authentication cookies\n\n#### Medium severity bugs\n\nVulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n* Reflective XSS\n* Insecure Direct Object References\n\n#### Low severity bugs\n\nIssues that affect singular users and require interaction or significant prerequisites (MitM) to trigger. Examples:\n* Self-XSS\n* Information leaks\n\n# Exclusions\nThe following bugs are unlikely to be eligible for a bounty:\n* Missing HTTP security headers, like:\n  * Strict-Transport-Security\n  * X-Frame-Options\n  * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents\n* Vulnerabilities that require physical access to the device\n* Any CSRF\n* Phishing/spam attacks against users on the platform, and other findings derived from social engineering\n* Misconfiguration in SPF/DKIM records\n* Our [Challenges site] (https://www.quora.com/about/challenges/) is run by HackerRank is therefore excluded from the bounty program.\nLinked Social Account Login\n\n# Additional Terms \u0026 Safe Harbor\n\nYou must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.\n\nWe may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Quora and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-20T16:47:19.299Z"},{"id":3639743,"new_policy":"# New Feature In Scope\n\nWe recently announced the launch of Spaces, a new feature that allows people to curate collections and form communities around shared interests and tastes. You can find more details regarding this feature at the [product announcement] (https://www.quora.com/q/quora/Introducing-Spaces)\n\n#### Test Instructions for Spaces (updated 9/4/2019)\n* Users can create 1 space for testing (this would include adding content, trying out the admin settings) \n  * Only 1 test space is allowed per user \n  * Users need to email hackerone@quora.com in order to get permission to create a space. In the email please include your HackerOne user id, the email address you used to sign up Quora account.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* Follow HackerOne's [disclosure guidelines] (https://hackerone.com/guidelines).\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Automated security testing against the site or APIs are not allowed.\n* Vulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n* Report product-related issues by following the instructions [here] (https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n\n# Focus Areas\n#### Spaces\n* Vertical authentication bypass \n* Lateral authentication bypass\n* Information leaks \n* XSS\n\n#### Critical Severity Vulnerabilities\n* Remote code execution/shell injection\n* Vertical Authentication bypass\n* Public AWS resource policy\n* SQL injection\n* Anonymity-related bugs\n\n# Exclusions\nThe following bugs are unlikely to be eligible for a bounty:\n* Missing HTTP security headers, like:\n  * Strict-Transport-Security\n  * X-Frame-Options\n  * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents \n* Vulnerabilities that require physical access to the device\n* Any CSRF\n* Phishing/spam attacks against users on the platform, and other findings derived from social engineering\n* Misconfiguration in SPF/DKIM records\n* Our [Challenges site] (https://www.quora.com/about/challenges/) is run by HackerRank is therefore excluded from the bounty program.\n* Linked Social Account Login\n\n# Issue Severity\n#### Critical severity bugs\nVulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. \n\n Examples:\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n* Vulnerabilities in access control to our AWS resources\n* Misconfigured firewall in our AWS environment\n\n\n#### High severity bugs:\nVulnerabilities that affect the security of the platform including the processes it supports. Examples:\n\n* Lateral authentication bypass\n* Stored XSS for another user \n* Local file inclusion\n* Insecure handling of authentication cookies\n\n#### Medium severity bugs\nVulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n* Reflective XSS \n* Insecure Direct Object References\n\n#### Low severity bugs\nIssues that affect singular users and require interaction or significant prerequisites (MitM) to trigger. Examples:\n* Self-XSS\n* Information leaks\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Quora and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-17T18:06:17.872Z"},{"id":3639707,"new_policy":"# New Feature In Scope\n\nWe recently announced the launch of Spaces, a new feature that allows people to curate collections and form communities around shared interests and tastes. You can find more details regarding this feature at the [product announcement] (https://www.quora.com/q/quora/Introducing-Spaces)\n\n#### Test Instructions for Spaces (updated 9/4/2019)\n* Users can create 1 space for testing (this would include adding content, trying out the admin settings) \n  * Only 1 test space is allowed per user \n  * Users need to email hackerone@quora.com in order to get permission to create a space. In the email please include your HackerOne user id, the email address you used to sign up Quora account.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* Follow HackerOne's [disclosure guidelines] (https://hackerone.com/guidelines).\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Automated security testing against the site or APIs are not allowed.\n* Vulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n* Report product-related issues by following the instructions [here] (https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n\n# Focus Areas\n#### Spaces\n* Vertical authentication bypass \n* Lateral authentication bypass\n* Information leaks \n* XSS\n\n#### Critical Severity Vulnerabilities\n* Remote code execution/shell injection\n* Vertical Authentication bypass\n* Public AWS resource policy\n* SQL injection\n* Anonymity-related bugs\n\n# Exclusions\nPlease be aware that we will not pay a bounty for reports that are only about a missing security best practice. Having said that, if a missing best practice can be exploited to impact our users, we do want to hear about it and will pay a bounty.\n\nExamples include but are not limited to:\n* Missing HTTP security headers, like:\n  * Strict-Transport-Security\n  * X-Frame-Options\n  * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents \n* Vulnerabilities that require physical access to the device\n* Any CSRF\n* Phishing/spam attacks against users on the platform, and other findings derived from social engineering\n* Misconfiguration in SPF/DKIM records\n* Our [Challenges site] (https://www.quora.com/about/challenges/) is run by HackerRank is therefore excluded from the bounty program.\n* Linked Social Account Login\n\n# Issue Severity\n#### Critical severity bugs\nVulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. \n\n Examples:\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n* Vulnerabilities in access control to our AWS resources\n* Misconfigured firewall in our AWS environment\n\n\n#### High severity bugs:\nVulnerabilities that affect the security of the platform including the processes it supports. Examples:\n\n* Lateral authentication bypass\n* Stored XSS for another user \n* Local file inclusion\n* Insecure handling of authentication cookies\n\n#### Medium severity bugs\nVulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n* Reflective XSS \n* Insecure Direct Object References\n\n#### Low severity bugs\nIssues that affect singular users and require interaction or significant prerequisites (MitM) to trigger. Examples:\n* Self-XSS\n* Information leaks\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Quora and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-17T03:14:56.569Z"},{"id":3636636,"new_policy":"# New Feature In Scope\n\nWe recently announced the launch of Spaces, a new feature that allows people to curate collections and form communities around shared interests and tastes. You can find more details regarding this feature at the [product announcement] (https://www.quora.com/q/quora/Introducing-Spaces)\n\n#### Test Instructions for Spaces (updated 9/4/2019)\n* Users can create 1 space for testing (this would include adding content, trying out the admin settings) \n  * Only 1 test space is allowed per user \n  * Users need to email hackerone@quora.com in order to get permission to create a space. In the email please include your HackerOne user id, the email address you used to sign up Quora account.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* Follow HackerOne's [disclosure guidelines] (https://hackerone.com/guidelines).\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Automated security testing against the site or APIs are not allowed.\n* Vulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n* Report product-related issues by following the instructions [here] (https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n\n# Focus Areas\n#### Spaces\n* Vertical authentication bypass \n* Lateral authentication bypass\n* Information leaks \n* XSS\n\n#### Critical Severity Vulnerabilities\n* Remote code execution/shell injection\n* Vertical Authentication bypass\n* Public AWS resource policy\n* SQL injection\n* Anonymity-related bugs\n\n# Exclusions\nWe have made conscious product tradeoffs at times and have not implemented some security best practices. Please be aware that we will not pay a bounty for reports that are only about a missing security best practice. Having said that, if a missing best practice can be exploited to impact our users, we do want to hear about it and will pay a bounty.\n\nExamples include but are not limited to:\n* Missing HTTP security headers, like:\n  * Strict-Transport-Security\n  * X-Frame-Options\n  * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents \n* Vulnerabilities that require physical access to the device\n* Any CSRF\n* Phishing/spam attacks against users on the platform, and other findings derived from social engineering\n* Misconfiguration in SPF/DKIM records\n* Our [Challenges site] (https://www.quora.com/about/challenges/) is run by HackerRank is therefore excluded from the bounty program.\n* Linked Social Account Login\n\n# Issue Severity\n#### Critical severity bugs\nVulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. \n\n Examples:\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n* Vulnerabilities in access control to our AWS resources\n* Misconfigured firewall in our AWS environment\n\n\n#### High severity bugs:\nVulnerabilities that affect the security of the platform including the processes it supports. Examples:\n\n* Lateral authentication bypass\n* Stored XSS for another user \n* Local file inclusion\n* Insecure handling of authentication cookies\n\n#### Medium severity bugs\nVulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n* Reflective XSS \n* Insecure Direct Object References\n\n#### Low severity bugs\nIssues that affect singular users and require interaction or significant prerequisites (MitM) to trigger. Examples:\n* Self-XSS\n* Information leaks\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Quora and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-05-22T19:20:49.057Z"},{"id":3618117,"new_policy":"# New Feature In Scope\n\nWe recently announced the launch of Spaces, a new feature that allows people to curate collections and form communities around shared interests and tastes. You can find more details regarding this feature at the [product announcement] (https://www.quora.com/q/quora/Introducing-Spaces)\n\n#### Test Instructions for Spaces (updated 9/4/2019)\n* Users can create 1 space for testing (this would include adding content, trying out the admin settings) \n  * Only 1 test space is allowed per user \n  * Users need to email hackerone@quora.com in order to get permission to create a space. In the email please include your HackerOne user id, the email address you used to sign up Quora account.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* Follow HackerOne's [disclosure guidelines] (https://hackerone.com/guidelines).\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Automated security testing against the site or APIs are not allowed.\n* Vulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n* Report product-related issues by following the instructions [here] (https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n\n# Focus Areas\n#### Spaces\n* Vertical authentication bypass \n* Lateral authentication bypass\n* Information leaks \n* XSS\n\n#### Critical Severity Vulnerabilities\n* Remote code execution/shell injection\n* Vertical Authentication bypass\n* Public AWS resource policy\n* SQL injection\n* Anonymity-related bugs\n\n# Exclusions\nWe have made conscious product tradeoffs at times and have not implemented some security best practices. Please be aware that we will not pay a bounty for reports that are only about a missing security best practice. Having said that, if a missing best practice can be exploited to impact our users, we do want to hear about it and will pay a bounty.\n\nExamples include but are not limited to:\n* Missing HTTP security headers, like:\n  * Strict-Transport-Security\n  * X-Frame-Options\n  * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents \n* Vulnerabilities that require physical access to the device\n* Any CSRF\n* Phishing/spam attacks against users on the platform, and other findings derived from social engineering\n* Misconfiguration in SPF/DKIM records\n* Our [Challenges site] (https://www.quora.com/about/challenges/) is run by HackerRank is therefore excluded from the bounty program.\n\n# Issue Severity\n#### Critical severity bugs\nVulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. \n\n Examples:\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n* Vulnerabilities in access control to our AWS resources\n* Misconfigured firewall in our AWS environment\n\n\n#### High severity bugs:\nVulnerabilities that affect the security of the platform including the processes it supports. Examples:\n\n* Lateral authentication bypass\n* Stored XSS for another user \n* Local file inclusion\n* Insecure handling of authentication cookies\n\n#### Medium severity bugs\nVulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n* Reflective XSS \n* Insecure Direct Object References\n\n#### Low severity bugs\nIssues that affect singular users and require interaction or significant prerequisites (MitM) to trigger. Examples:\n* Self-XSS\n* Information leaks\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Quora and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-09-05T01:08:30.202Z"},{"id":3618114,"new_policy":"# New Feature In Scope\n\nWe recently announced the launch of Spaces, a new feature that allows people to curate collections and form communities around shared interests and tastes. You can find more details regarding this feature at the [product announcement] (https://www.quora.com/q/quora/Introducing-Spaces)\n\n#### Test Instructions for Spaces (updated 9/4/2019)\n* Users can create 1 space for testing (this would include adding content, trying out the admin settings) \n  * Only 1 test space is allowed per user \n  * Users need to email hackerone@quora.com in order to get permission to create a space.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* Follow HackerOne's [disclosure guidelines] (https://hackerone.com/guidelines).\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Automated security testing against the site or APIs are not allowed.\n* Vulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n* Report product-related issues by following the instructions [here] (https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n\n# Focus Areas\n#### Spaces\n* Vertical authentication bypass \n* Lateral authentication bypass\n* Information leaks \n* XSS\n\n#### Critical Severity Vulnerabilities\n* Remote code execution/shell injection\n* Vertical Authentication bypass\n* Public AWS resource policy\n* SQL injection\n* Anonymity-related bugs\n\n# Exclusions\nWe have made conscious product tradeoffs at times and have not implemented some security best practices. Please be aware that we will not pay a bounty for reports that are only about a missing security best practice. Having said that, if a missing best practice can be exploited to impact our users, we do want to hear about it and will pay a bounty.\n\nExamples include but are not limited to:\n* Missing HTTP security headers, like:\n  * Strict-Transport-Security\n  * X-Frame-Options\n  * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents \n* Vulnerabilities that require physical access to the device\n* Any CSRF\n* Phishing/spam attacks against users on the platform, and other findings derived from social engineering\n* Misconfiguration in SPF/DKIM records\n* Our [Challenges site] (https://www.quora.com/about/challenges/) is run by HackerRank is therefore excluded from the bounty program.\n\n# Issue Severity\n#### Critical severity bugs\nVulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. \n\n Examples:\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n* Vulnerabilities in access control to our AWS resources\n* Misconfigured firewall in our AWS environment\n\n\n#### High severity bugs:\nVulnerabilities that affect the security of the platform including the processes it supports. Examples:\n\n* Lateral authentication bypass\n* Stored XSS for another user \n* Local file inclusion\n* Insecure handling of authentication cookies\n\n#### Medium severity bugs\nVulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n* Reflective XSS \n* Insecure Direct Object References\n\n#### Low severity bugs\nIssues that affect singular users and require interaction or significant prerequisites (MitM) to trigger. Examples:\n* Self-XSS\n* Information leaks\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Quora and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-09-05T00:04:32.349Z"},{"id":3613092,"new_policy":"# New Feature In Scope\n\nWe recently announced the launch of Spaces, a new feature that allows people to curate collections and form communities around shared interests and tastes. You can find more details regarding this feature at \n\n* See the [product announcement] (https://blog.quora.com/Introducing-Spaces)\n* Spaces bounty program guidelines: {F386615}\n\n#### Test Instructions for Spaces\n* Users can create 1 space for testing whatever they want (this would include adding content, trying out the admin settings) \n  * Only 1 test space is allowed per user \n  * Users need to email hackerone@quora.com in order to get permission to create a space.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* Follow HackerOne's [disclosure guidelines] (https://hackerone.com/guidelines).\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Automated security testing against the site or APIs are not allowed.\n* Vulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n* Report product-related issues by following the instructions [here] (https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n\n# Focus Areas\n#### Spaces\n* Vertical authentication bypass \n* Lateral authentication bypass\n* Information leaks \n* XSS\n\n#### Critical Severity Vulnerabilities\n* Remote code execution/shell injection\n* Vertical Authentication bypass\n* Public AWS resource policy\n* SQL injection\n* Anonymity-related bugs\n\n# Exclusions\nWe have made conscious product tradeoffs at times and have not implemented some security best practices. Please be aware that we will not pay a bounty for reports that are only about a missing security best practice. Having said that, if a missing best practice can be exploited to impact our users, we do want to hear about it and will pay a bounty.\n\nExamples include but are not limited to:\n* Missing HTTP security headers, like:\n  * Strict-Transport-Security\n  * X-Frame-Options\n  * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents \n* Vulnerabilities that require physical access to the device\n* Any CSRF\n* Phishing/spam attacks against users on the platform, and other findings derived from social engineering\n* Misconfiguration in SPF/DKIM records\n* Our [Challenges site] (https://www.quora.com/about/challenges/) is run by HackerRank is therefore excluded from the bounty program.\n\n# Issue Severity\n#### Critical severity bugs\nVulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. \n\n Examples:\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n* Vulnerabilities in access control to our AWS resources\n* Misconfigured firewall in our AWS environment\n\n\n#### High severity bugs:\nVulnerabilities that affect the security of the platform including the processes it supports. Examples:\n\n* Lateral authentication bypass\n* Stored XSS for another user \n* Local file inclusion\n* Insecure handling of authentication cookies\n\n#### Medium severity bugs\nVulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n* Reflective XSS \n* Insecure Direct Object References\n\n#### Low severity bugs\nIssues that affect singular users and require interaction or significant prerequisites (MitM) to trigger. Examples:\n* Self-XSS\n* Information leaks\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Quora and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-07-01T16:43:57.862Z"},{"id":3603653,"new_policy":"# New Feature In Scope\n\nWe recently announced the launch of Spaces, a new feature that allows people to curate collections and form communities around shared interests and tastes. You can find more details regarding this feature at \n\n* See the [product announcement] (https://blog.quora.com/Introducing-Spaces)\n* Spaces bounty program guidelines: {F386615}\n\n#### Test Instructions for Spaces\n* Users can create 1 space for testing whatever they want (this would include adding content, trying out the admin settings) \n  * Only 1 test space is allowed per user \n  * Users need to email hackerone@quora.com in order to get permission to create a space.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* Follow HackerOne's [disclosure guidelines] (https://hackerone.com/guidelines).\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Automated security testing against the site or APIs are not allowed.\n* Vulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n* Report product-related issues by following the instructions [here] (https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n\n# Focus Areas\n#### Spaces\n* Vertical authentication bypass \n* Lateral authentication bypass\n* Information leaks \n* XSS\n\n#### Critical Severity Vulnerabilities\n* Remote code execution / shell injection\n* Vertical Authentication bypass\n* Public AWS resource policy\n* SQL injection\n* Anonymity-related bugs\n\n# Exclusions\nWe have made conscious product tradeoffs at times and have not implemented some security best practices. Please be aware that we will not pay a bounty for reports that are only about a missing security best practice. Having said that, if a missing best practice can be exploited to impact our users, we do want to hear about it and will pay a bounty.\n\nExamples include but are not limited to:\n* Missing HTTP security headers, like:\n  * Strict-Transport-Security\n  * X-Frame-Options\n  * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents \n* Vulnerabilities that require physical access to the device\n* Any CSRF\n* Phishing/spam attacks against users on the platform, and other findings derived from social engineering\n* Misconfiguration in SPF/DKIM records\n* Our [Challenges site] (https://www.quora.com/about/challenges/) is run by HackerRank is therefore excluded from the bounty program.\n\n# Issue Severity\n#### Critical severity bugs\nVulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. For these vulnerabilities, we may choose to award a **bonus of up to $7000.**\n\n Examples:\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n* Vulnerabilities in access control to our AWS resources\n* Misconfigured firewall in our AWS environment\n\n for valid Remote Code Execution vulnerability identified in Quora.com server code.This bonus is only for the server code and only for the primary Quora.com features like questions, answers, comments etc.\n\n#### High severity bugs:\nVulnerabilities that affect the security of the platform including the processes it supports. Examples:\n\n* Lateral authentication bypass\n* Stored XSS for another user \n* Local file inclusion\n* Insecure handling of authentication cookies\n\n#### Medium severity bugs\nVulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n* Reflective XSS \n* Insecure Direct Object References\n\n#### Low severity bugs\nIssues that affect singular users and require interaction or significant prerequisites (MitM) to trigger. Examples:\n* Self-XSS\n* Information leaks\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Quora and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-02-25T19:53:30.805Z"},{"id":3597171,"new_policy":"# New Feature In Scope\n\nWe recently announced the launch of Spaces, a new feature that allows people to curate collections and form communities around shared interests and tastes. You can find more details regarding this feature at \n\n* See the [product announcement] (https://blog.quora.com/Introducing-Spaces)\n* Spaces bounty program guidelines: {F386615}\n\n#### Test Instructions for Spaces\n* Users can create 1 space for testing whatever they want (this would include adding content, trying out the admin settings) \n  * Only 1 test space is allowed per user \n  * Users need to email Quora in order to get permission to create a space.\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* Follow HackerOne's [disclosure guidelines] (https://hackerone.com/guidelines).\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Automated security testing against the site or APIs are not allowed.\n* Vulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n* Report product-related issues by following the instructions [here] (https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n\n# Focus Areas\n#### Spaces\n* Vertical authentication bypass \n* Lateral authentication bypass\n* Information leaks \n* XSS\n\n#### Critical Severity Vulnerabilities\n* Remote code execution / shell injection\n* Vertical Authentication bypass\n* Public AWS resource policy\n* SQL injection\n* Anonymity-related bugs\n\n# Exclusions\nWe have made conscious product tradeoffs at times and have not implemented some security best practices. Please be aware that we will not pay a bounty for reports that are only about a missing security best practice. Having said that, if a missing best practice can be exploited to impact our users, we do want to hear about it and will pay a bounty.\n\nExamples include but are not limited to:\n* Missing HTTP security headers, like:\n  * Strict-Transport-Security\n  * X-Frame-Options\n  * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents \n* Vulnerabilities that require physical access to the device\n* Any CSRF\n* Phishing/spam attacks against users on the platform, and other findings derived from social engineering\n* Misconfiguration in SPF/DKIM records\n* Our [Challenges site] (https://www.quora.com/about/challenges/) is run by HackerRank is therefore excluded from the bounty program.\n\n# Issue Severity\n#### Critical severity bugs\nVulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. For these vulnerabilities, we may choose to award a **bonus of up to $7000.**\n\n Examples:\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n* Vulnerabilities in access control to our AWS resources\n* Misconfigured firewall in our AWS environment\n\n for valid Remote Code Execution vulnerability identified in Quora.com server code.This bonus is only for the server code and only for the primary Quora.com features like questions, answers, comments etc.\n\n#### High severity bugs:\nVulnerabilities that affect the security of the platform including the processes it supports. Examples:\n\n* Lateral authentication bypass\n* Stored XSS for another user \n* Local file inclusion\n* Insecure handling of authentication cookies\n\n#### Medium severity bugs\nVulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n* Reflective XSS \n* Insecure Direct Object References\n\n#### Low severity bugs\nIssues that affect singular users and require interaction or significant prerequisites (MitM) to trigger. Examples:\n* Self-XSS\n* Information leaks\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Quora and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-12-06T20:34:25.441Z"},{"id":3597170,"new_policy":"# New Feature In Scope\n\nWe recently announced the launch of Spaces, a new feature that allows people to curate collections and form communities around shared interests and tastes. You can find more details regarding this feature at \n\n* See the [product announcement] (https://blog.quora.com/Introducing-Spaces)\n* Spaces bounty program guidelines: {F386615}\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* Follow HackerOne's [disclosure guidelines] (https://hackerone.com/guidelines).\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Automated security testing against the site or APIs are not allowed.\n* Vulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n* Report product-related issues by following the instructions [here] (https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n\n# Focus Areas\n#### Spaces\n* Vertical authentication bypass \n* Lateral authentication bypass\n* Information leaks \n* XSS\n\n#### Critical Severity Vulnerabilities\n* Remote code execution / shell injection\n* Vertical Authentication bypass\n* Public AWS resource policy\n* SQL injection\n* Anonymity-related bugs\n\n# Exclusions\nWe have made conscious product tradeoffs at times and have not implemented some security best practices. Please be aware that we will not pay a bounty for reports that are only about a missing security best practice. Having said that, if a missing best practice can be exploited to impact our users, we do want to hear about it and will pay a bounty.\n\nExamples include but are not limited to:\n\n* Missing HTTP security headers, like:\n  * Strict-Transport-Security\n  * X-Frame-Options\n  * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents \n* Vulnerabilities that require physical access to the device\n* Any CSRF\n* Phishing/spam attacks against users on the platform, and other findings derived from social engineering\n* Misconfiguration in SPF/DKIM records\n* Our [Challenges site] (https://www.quora.com/about/challenges/) is run by HackerRank is therefore excluded from the bounty program.\n\n\n#### Test Instructions for Spaces\n* Users can create 1 space for testing whatever they want (this would include adding content, trying out the admin settings) \n  * Only 1 test space is allowed per user \n  * Users need to email Quora in order to get permission to create a space.\n\n# Rewards\n* Our rewards are based on the impact of a vulnerability. We will update the program over time based on feedback, so please give us feedback on any part of the program you think we can improve on.\n* When duplicates occur, we award the first report that we can completely reproduce.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Amounts below are the **maximum** we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n#### Critical severity bugs\nVulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. For these vulnerabilities, we may choose to award a **bonus of up to $7000.**\n\n Examples:\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n* Vulnerabilities in access control to our AWS resources\n* Misconfigured firewall in our AWS environment\n\n for valid Remote Code Execution vulnerability identified in Quora.com server code.This bonus is only for the server code and only for the primary Quora.com features like questions, answers, comments etc.\n\n#### High severity bugs:\nVulnerabilities that affect the security of the platform including the processes it supports. Examples:\n\n* Lateral authentication bypass\n* Stored XSS for another user \n* Local file inclusion\n* Insecure handling of authentication cookies\n\n\n#### Medium severity bugs\nVulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n* Reflective XSS \n* Insecure Direct Object References\n\n#### Low severity bugs\nIssues that affect singular users and require interaction or significant prerequisites (MitM) to trigger. Examples:\n* Self-XSS\n* Information leaks\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Quora and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-12-06T20:28:48.628Z"},{"id":3595744,"new_policy":"In order to achieve our mission of sharing and growing the world's knowledge, we need to maintain a secure platform for writers and readers. To that end, we run this bug bounty program to enlist the community's help in identifying and mitigating security threats. We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a fundamental belief at Quora. Every day, new security issues and attack vectors are created. Quora strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n# New Feature In Scope\n\nWe recently announced the launch of Spaces, a new feature that allows people to curate collections and form communities around shared interests and tastes. You can find more details regarding this feature at https://blog.quora.com/Introducing-Spaces \n\nFor more efficient testing, please view specific details about the Spaces feature in this attachment: {F380993}\n\n## Test Instructions for Spaces\n* Users can create 1 space for testing whatever they want (this would include adding content, trying out the admin settings) \n     * Only 1 test space is allowed per user \n     * Users need to email Quora in order to get permission to create a space.\n\n\n# Program Rules\n\n* Automated security testing against the site or APIs are not allowed.\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed.\n* Follow HackerOne's [disclosure guidelines] (https://hackerone.com/guidelines).\n\n# Rewards\n\nOur rewards are based on the impact of a vulnerability. We will update the program over time based on feedback, so please give us feedback on any part of the program you think we can improve on.\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* When duplicates occur, we award the first report that we can completely reproduce.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Amounts below are the **maximum** we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n**Note:** *Bugs like remote code execution, remote shell and SQL injection that can leak specific data, any anonymity related bugs are directly aligned with business risk that we are concerned about. These types of bug will be classified as higher risk. Most other bugs will be rated lower severity.*\n\n**Critical severity bugs ($3000)**: Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples:\n\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n\nBONUS:  **Up to $7000** for valid Remote Code Execution vulnerability identified in Quora.com server code.This bonus is only for the server code and only for the primary Quora.com features like questions, answers, comments etc.\n\n**High severity bugs ($750)**: Vulnerabilities that affect the security of the platform including the processes it supports. Examples:\n\n* Lateral authentication bypass\n* Stored XSS for another user \n* Local file inclusion\n* Insecure handling of authentication cookies\n\n**Medium severity bugs ($300)**: Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n\n* Reflective XSS \n* Insecure Direct Object References\n\n**Low severity bugs ($100)**: Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger.Examples:\n\n* Self-XSS\n* Information leaks\n\n# Focus Areas\n**Spaces**\n* Vertical authentication bypass \n     * Medium Severity for the context of Spaces (affects multiple users but not security of the platform) \n* Lateral authentication bypass \n     * Medium Severity for the context of Spaces (affects multiple users but not security of the platform) \n* Information leaks \n* XSS\n\n**Critical Severity Vulnerabilities**\n* Remote code execution / shell injection\n* Vertical Authentication bypass\n* SQL injection\n\n### **Some Exclusions**\n\nWe have made conscious product tradeoffs at times and have not implemented some security best practices. Please be aware that we will not pay a bounty for reports that are only about a missing security best practice. \n\nExamples include but are not limited to:\n\n* Missing HTTP security headers, like:\n    * Strict-Transport-Security\n    * X-Frame-Options\n    * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents \n* Vulnerabilities that require physical access to the device\n* Any CSRF\n\n\nHaving said that, if a missing best practice can be exploited to impact our users, we do want to hear about it and will pay a bounty.\n\nVulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n\nhttps://www.quora.com/about/challenges/ is run by HackerRank is therefore excluded from the bounty program.\n\nReport product-related issues by following the instructions at this link: [https://www.quora.com/How-can-I-report-a-bug-on-Quora](https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Quora and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-11-27T01:15:21.185Z"},{"id":3595606,"new_policy":"In order to achieve our mission of sharing and growing the world's knowledge, we need to maintain a secure platform for writers and readers. To that end, we run this bug bounty program to enlist the community's help in identifying and mitigating security threats. We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Quora. Every day, new security issues and attack vectors are created. Quora strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n# ** Announcement **\nWe want to build a bounty program that not only provides Quora will valuable reports, but that also provides you with an attractive hacking target.  In an effort to make changes that will benefit all parties, we want to hear and learn from you:\n\nPlease take this [**6-minute survey**](https://docs.google.com/forms/d/e/1FAIpQLSfcAK3JuVMYMeXy4bCyprYhvaUMC8eEk4UyYopq3S7443O6Ew/viewform?usp=sf_link) to share your thoughts and recommendations for our bounty program! \n\n\n## Program Rules\n\n* Automated security testing against the site or APIs are not allowed.\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed.\n* Follow HackerOne's [disclosure guidelines] (https://hackerone.com/guidelines).\n\n# Rewards\n\nOur rewards are based on the impact of a vulnerability. We will update the program over time based on feedback, so please give us feedback on any part of the program you think we can improve on.\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* When duplicates occur, we award the first report that we can completely reproduce.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Amounts below are the **maximum** we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n**Note:** *Bugs like remote code execution, remote shell and SQL injection that can leak specific data, any anonymity related bugs are directly aligned with business risk that we are concerned about. These types of bug will be classified as higher risk. Most other bugs will be rated lower severity.*\n\n## Examples of Vulnerabilities by Severity\n\n**Critical severity bugs ($3000)**: Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples:\n\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n\nBONUS:  **Up to $7000** for valid Remote Code Execution vulnerability identified in Quora.com server code.This bonus is only for the server code and only for the primary Quora.com features like questions, answers, comments etc.\n\n**High severity bugs ($750)**: Vulnerabilities that affect the security of the platform including the processes it supports. Examples:\n\n* Lateral authentication bypass\n* Stored XSS for another user \n* Local file inclusion\n* Insecure handling of authentication cookies\n\n**Medium severity bugs ($300)**: Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n\n* Reflective XSS \n* Insecure Direct Object References\n\n**Low severity bugs ($100)**: Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger.Examples:\n\n* Self-XSS\n* Information leaks\n\n# **Focus Areas**\n\n* Remote code execution / shell injection\n* Vertical Authentication bypass\n* SQL injection\n*\n\n## **Some Exclusions**\n\nWe have made conscious product tradeoffs at times and have not implemented some security best practices. Please be aware that we will not pay a bounty for reports that are only about a missing security best practice. \n\nExamples include but are not limited to:\n\n* Missing HTTP security headers, like:\n    * Strict-Transport-Security\n    * X-Frame-Options\n    * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents \n* Vulnerabilities that require physical access to the device\n* Any CSRF\n\n\nHaving said that, if a missing best practice can be exploited to impact our users, we do want to hear about it and will pay a bounty.\n\nVulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n\nhttps://www.quora.com/about/challenges/ is run by HackerRank is therefore excluded from the bounty program.\n\nReport product-related issues by following the instructions at this link: [https://www.quora.com/How-can-I-report-a-bug-on-Quora](https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Quora and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-11-25T05:45:07.427Z"},{"id":3594212,"new_policy":"In order to achieve our mission of sharing and growing the world's knowledge, we need to maintain a secure platform for writers and readers. To that end, we run this bug bounty program to enlist the community's help in identifying and mitigating security threats. We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Quora. Every day, new security issues and attack vectors are created. Quora strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n# ** Announcement **\nWe want to build a bounty program that not only provides Quora will valuable reports, but that also provides you with an attractive hacking target.  In an effort to make changes that will benefit all parties, we want to hear and learn from you:\n\nPlease take this [**6-minute survey**](https://docs.google.com/forms/d/e/1FAIpQLSfcAK3JuVMYMeXy4bCyprYhvaUMC8eEk4UyYopq3S7443O6Ew/viewform?usp=sf_link) to share your thoughts and recommendations for our bounty program! \n\n## Program Rules\n\n* Automated security testing against the site or APIs are not allowed.\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed.\n* Follow HackerOne's [disclosure guidelines] (https://hackerone.com/guidelines).\n\n## Rewards\n\nOur rewards are based on the impact of a vulnerability. We will update the program over time based on feedback, so please give us feedback on any part of the program you think we can improve on.\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* When duplicates occur, we award the first report that we can completely reproduce.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Amounts below are the **maximum** we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n**Note:** *Bugs like remote code execution, remote shell and SQL injection that can leak specific data, any anonymity related bugs are directly aligned with business risk that we are concerned about. These types of bug will be classified as higher risk. Most other bugs will be rated lower severity.*\n\n**Critical severity bugs ($3000)**: Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples:\n\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n\nThere is now a bonus of **up to $7000** for valid Remote Code Execution vulnerability identified in Quora.com server code.\nNote: This bonus is only for the server code and only for the primary Quora.com features like questions, answers, comments etc.\n\n**High severity bugs ($750)**: Vulnerabilities that affect the security of the platform including the processes it supports. Examples:\n\n* Lateral authentication bypass\n* Stored XSS for another user \n* Local file inclusion\n* Insecure handling of authentication cookies\n\n**Medium severity bugs ($300)**: Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n\n* Reflective XSS \n* Insecure Direct Object References\n\n**Low severity bugs ($100)**: Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger.Examples:\n\n* Self-XSS\n* Information leaks\n\n### **Focus Areas**\n\n* Remote code execution / shell injection\n* Vertical Authentication bypass\n* SQL injection\n\n### **Some Exclusions**\n\nWe have made conscious product tradeoffs at times and have not implemented some security best practices. Please be aware that we will not pay a bounty for reports that are only about a missing security best practice. \n\nExamples include but are not limited to:\n\n* Missing HTTP security headers, like:\n    * Strict-Transport-Security\n    * X-Frame-Options\n    * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents \n* Vulnerabilities that require physical access to the device\n* Any CSRF\n\n\nHaving said that, if a missing best practice can be exploited to impact our users, we do want to hear about it and will pay a bounty.\n\nVulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n\nhttps://www.quora.com/about/challenges/ is run by HackerRank is therefore excluded from the bounty program.\n\nReport product-related issues by following the instructions at this link: [https://www.quora.com/How-can-I-report-a-bug-on-Quora](https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Quora and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-11-09T22:45:57.131Z"},{"id":3584432,"new_policy":"In order to achieve our mission of sharing and growing the world's knowledge, we need to maintain a secure platform for writers and readers. To that end, we run this bug bounty program to enlist the community's help in identifying and mitigating security threats. We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Quora. Every day, new security issues and attack vectors are created. Quora strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n# ** Announcement **\nWe want to build a bounty program that not only provides Quora will valuable reports, but that also provides you with an attractive hacking target.  In an effort to make changes that will benefit all parties, we want to hear and learn from you:\n\nPlease take this [**6-minute survey**](https://docs.google.com/forms/d/e/1FAIpQLSfcAK3JuVMYMeXy4bCyprYhvaUMC8eEk4UyYopq3S7443O6Ew/viewform?usp=sf_link) to share your thoughts and recommendations for our bounty program! \n\n## Program Rules\n\n* Automated security testing against the site or APIs are not allowed.\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed.\n* Follow HackerOne's [disclosure guidelines] (https://hackerone.com/guidelines).\n\n## Rewards\n\nOur rewards are based on the impact of a vulnerability. We will update the program over time based on feedback, so please give us feedback on any part of the program you think we can improve on.\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* When duplicates occur, we award the first report that we can completely reproduce.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Amounts below are the **maximum** we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n**Note:** *Bugs like remote code execution, remote shell and SQL injection that can leak specific data, any anonymity related bugs are directly aligned with business risk that we are concerned about. These types of bug will be classified as higher risk. Most other bugs will be rated lower severity.*\n\n**Critical severity bugs ($3000)**: Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples:\n\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n\nThere is now a bonus of **up to $7000** for valid Remote Code Execution vulnerability identified in Quora.com server code.\nNote: This bonus is only for the server code and only for the primary Quora.com features like questions, answers, comments etc.\n\n**High severity bugs ($750)**: Vulnerabilities that affect the security of the platform including the processes it supports. Examples:\n\n* Lateral authentication bypass\n* Stored XSS for another user \n* Local file inclusion\n* Insecure handling of authentication cookies\n\n**Medium severity bugs ($300)**: Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n\n* Reflective XSS \n* Insecure Direct Object References\n\n**Low severity bugs ($100)**: Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger.Examples:\n\n* Self-XSS\n* Information leaks\n\n### **Focus Areas**\n\n* Remote code execution / shell injection\n* Vertical Authentication bypass\n* SQL injection\n\n### **Some Exclusions**\n\nWe have made conscious product tradeoffs at times and have not implemented some security best practices. Please be aware that we will not pay a bounty for reports that are only about a missing security best practice. \n\nExamples include but are not limited to:\n\n* Missing HTTP security headers, like:\n    * Strict-Transport-Security\n    * X-Frame-Options\n    * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents \n* Vulnerabilities that require physical access to the device\n* Any CSRF\n\n\nHaving said that, if a missing best practice can be exploited to impact our users, we do want to hear about it and will pay a bounty.\n\nVulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n\nhttps://www.quora.com/about/challenges/ is run by HackerRank is therefore excluded from the bounty program.\n\nReport product-related issues by following the instructions at this link: [https://www.quora.com/How-can-I-report-a-bug-on-Quora](https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n\nThank you for helping keep Quora and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-08-02T20:38:47.964Z"},{"id":3575358,"new_policy":"In order to achieve our mission of sharing and growing the world's knowledge, we need to maintain a secure platform for writers and readers. To that end, we run this bug bounty program to enlist the community's help in identifying and mitigating security threats. We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Quora. Every day, new security issues and attack vectors are created. Quora strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n## Program Rules\n\n* Automated security testing against the site or APIs are not allowed.\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed.\n* Follow HackerOne's [disclosure guidelines] (https://hackerone.com/guidelines).\n\n## Rewards\n\nOur rewards are based on the impact of a vulnerability. We will update the program over time based on feedback, so please give us feedback on any part of the program you think we can improve on.\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* When duplicates occur, we award the first report that we can completely reproduce.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Amounts below are the **maximum** we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n**Note:** *Bugs like remote code execution, remote shell and SQL injection that can leak specific data, any anonymity related bugs are directly aligned with business risk that we are concerned about. These types of bug will be classified as higher risk. Most other bugs will be rated lower severity.*\n\n**Critical severity bugs ($3000)**: Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples:\n\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n\nThere is now a bonus of **up to $7000** for valid Remote Code Execution vulnerability identified in Quora.com server code.\nNote: This bonus is only for the server code and only for the primary Quora.com features like questions, answers, comments etc.\n\n**High severity bugs ($750)**: Vulnerabilities that affect the security of the platform including the processes it supports. Examples:\n\n* Lateral authentication bypass\n* Stored XSS for another user \n* Local file inclusion\n* Insecure handling of authentication cookies\n\n**Medium severity bugs ($300)**: Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n\n* Reflective XSS \n* Insecure Direct Object References\n\n**Low severity bugs ($100)**: Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger.Examples:\n\n* Self-XSS\n* Information leaks\n\n### **Focus Areas**\n\n* Remote code execution / shell injection\n* Vertical Authentication bypass\n* SQL injection\n\n### **Some Exclusions**\n\nWe have made conscious product tradeoffs at times and have not implemented some security best practices. Please be aware that we will not pay a bounty for reports that are only about a missing security best practice. \n\nExamples include but are not limited to:\n\n* Missing HTTP security headers, like:\n    * Strict-Transport-Security\n    * X-Frame-Options\n    * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents \n* Vulnerabilities that require physical access to the device\n* Any CSRF\n\n\nHaving said that, if a missing best practice can be exploited to impact our users, we do want to hear about it and will pay a bounty.\n\nVulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n\nhttps://www.quora.com/about/challenges/ is run by HackerRank is therefore excluded from the bounty program.\n\nReport product-related issues by following the instructions at this link: [https://www.quora.com/How-can-I-report-a-bug-on-Quora](https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n\nThank you for helping keep Quora and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-05-02T17:42:03.442Z"},{"id":3568943,"new_policy":"In order to achieve our mission of sharing and growing the world's knowledge, we need to maintain a secure platform for writers and readers. To that end, we run this bug bounty program to enlist the community's help in identifying and mitigating security threats. We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Quora. Every day, new security issues and attack vectors are created. Quora strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n## Program Rules\n\n* Automated security testing against the site or APIs are not allowed.\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed.\n* Follow HackerOne's [disclosure guidelines] (https://hackerone.com/guidelines).\n\n## Rewards\n\nOur rewards are based on the impact of a vulnerability. We will update the program over time based on feedback, so please give us feedback on any part of the program you think we can improve on.\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* When duplicates occur, we award the first report that we can completely reproduce.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Amounts below are the **maximum** we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n**Note:** *Bugs like remote code execution, remote shell and SQL injection that can leak specific data, any anonymity related bugs are directly aligned with business risk that we are concerned about. These types of bug will be classified as higher risk. Most other bugs will be rated lower severity.*\n\n**Critical severity bugs ($3000)**: Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples:\n\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n\nThere is now a bonus of **up to $7000** for valid Remote Code Execution vulnerability identified in Quora.com server code.\nNote: This bonus is only for the server code and only for the primary Quora.com features like questions, answers, comments etc.\n\n**High severity bugs ($750)**: Vulnerabilities that affect the security of the platform including the processes it supports. Examples:\n\n* Lateral authentication bypass\n* Stored XSS for another user \n* Local file inclusion\n* Insecure handling of authentication cookies\n\n**Medium severity bugs ($300)**: Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n\n* Reflective XSS \n* Insecure Direct Object References\n\n**Low severity bugs ($100)**: Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger.Examples:\n\n* Self-XSS\n* Information leaks\n\n### **Focus Areas**\n\n* Remote code execution / shell injection\n* Vertical Authentication bypass\n* SQL injection\n\n### **Some Exclusions**\n\nWe have made conscious product tradeoffs at times and have not implemented some security best practices. Please be aware that we will not pay a bounty for reports that are only about a missing security best practice. \n\nExamples include but are not limited to:\n\n* Missing HTTP security headers, like:\n    * Strict-Transport-Security\n    * X-Frame-Options\n    * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents \n* Vulnerabilities that require physical access to the device\n* CSRF\n\n\nHaving said that, if a missing best practice can be exploited to impact our users, we do want to hear about it and will pay a bounty.\n\nVulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n\nhttps://www.quora.com/about/challenges/ is run by HackerRank is therefore excluded from the bounty program.\n\nReport product-related issues by following the instructions at this link: [https://www.quora.com/How-can-I-report-a-bug-on-Quora](https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n\nThank you for helping keep Quora and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-02-14T22:22:05.886Z"},{"id":3568942,"new_policy":"In order to achieve our mission of sharing and growing the world's knowledge, we need to maintain a secure platform for writers and readers. To that end, we run this bug bounty program to enlist the community's help in identifying and mitigating security threats. We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Quora. Every day, new security issues and attack vectors are created. Quora strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n## Program Rules\n\n* Automated security testing against the site or APIs are not allowed.\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed.\n* Follow HackerOne's [disclosure guidelines] (https://hackerone.com/guidelines).\n\n## Rewards\n\nOur rewards are based on the impact of a vulnerability. We will update the program over time based on feedback, so please give us feedback on any part of the program you think we can improve on.\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* When duplicates occur, we award the first report that we can completely reproduce.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Amounts below are the **maximum** we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n**Note:** *Bugs like remote code execution, remote shell and SQL injection that can leak specific data, any anonymity related bugs are directly aligned with business risk that we are concerned about. These types of bug will be classified as higher risk. Most other bugs will be rated lower severity.*\n\n**Critical severity bugs ($3000)**: Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples:\n\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n\nThere is now a bonus of **up to $7000** for valid Remote Code Execution vulnerability identified in Quora.com server code.\nNote: This bonus is only for the server code and only for the primary Quora.com features like questions, answers, comments etc.\n\n**High severity bugs ($750)**: Vulnerabilities that affect the security of the platform including the processes it supports. Examples:\n\n* Lateral authentication bypass\n* Stored XSS for another user \n* Local file inclusion\n* Insecure handling of authentication cookies\n\n**Medium severity bugs ($300)**: Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n\n* Reflective XSS \n* Insecure Direct Object References\n\n**Low severity bugs ($100)**: Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger.Examples:\n\n* Self-XSS\n* Information leaks\n\n## Scope\n\n*.[quora.com](http://quora.com/) (And only *.quora.com)\nThe latest version of Android and iOS apps installed from the official store at:\n\n* https://play.google.com/store/apps/details?id=com.quora.android\n* https://itunes.apple.com/us/developer/quora-inc/id456034440\n\n### **Focus Areas**\n\n* Remote code execution / shell injection\n* Vertical Authentication bypass\n* SQL injection\n\n### **Some Exclusions**\n\nWe have made conscious product tradeoffs at times and have not implemented some security best practices. Please be aware that we will not pay a bounty for reports that are only about a missing security best practice. \n\nExamples include but are not limited to:\n\n* Missing HTTP security headers, like:\n    * Strict-Transport-Security\n    * X-Frame-Options\n    * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents \n* Vulnerabilities that require physical access to the device\n* CSRF\n\n\nHaving said that, if a missing best practice can be exploited to impact our users, we do want to hear about it and will pay a bounty.\n\nVulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n\nhttps://www.quora.com/about/challenges/ is run by HackerRank is therefore excluded from the bounty program.\n\nReport product-related issues by following the instructions at this link: [https://www.quora.com/How-can-I-report-a-bug-on-Quora](https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n\nThank you for helping keep Quora and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-02-14T22:20:23.146Z"},{"id":3561460,"new_policy":"In order to achieve our mission of sharing and growing the world's knowledge, we need to maintain a secure platform for writers and readers. To that end, we run this bug bounty program to enlist the community's help in identifying and mitigating security threats. We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Quora. Every day, new security issues and attack vectors are created. Quora strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n## Program Rules\n\n* Automated security testing against the site or APIs are not allowed.\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed.\n* Follow HackerOne's [disclosure guidelines] (https://hackerone.com/guidelines).\n\n## Rewards\n\nOur rewards are based on the impact of a vulnerability. We will update the program over time based on feedback, so please give us feedback on any part of the program you think we can improve on.\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* When duplicates occur, we award the first report that we can completely reproduce.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Amounts below are the **maximum** we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n**Note:** *Bugs like remote code execution, remote shell and SQL injection that can leak specific data, any anonymity related bugs are directly aligned with business risk that we are concerned about. These types of bug will be classified as higher risk. Most other bugs will be rated lower severity.*\n\n**Critical severity bugs ($3000)**: Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples:\n\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n\nThere is now a bonus of **up to $7000** for valid Remote Code Execution vulnerability identified in Quora.com server code.\nNote: This bonus is only for the server code and only for the primary Quora.com features like questions, answers, comments etc.\n\n**High severity bugs ($750)**: Vulnerabilities that affect the security of the platform including the processes it supports. Examples:\n\n* Lateral authentication bypass\n* Stored XSS for another user \n* Local file inclusion\n* Insecure handling of authentication cookies\n\n**Medium severity bugs ($300)**: Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n\n* Reflective XSS \n* Insecure Direct Object References\n\n**Low severity bugs ($100)**: Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger.Examples:\n\n* Self-XSS\n* Information leaks\n\n## Scope\n\n*.[quora.com](http://quora.com/) (And only *.quora.com)\nThe latest version of Android and iOS apps installed from the official store at:\n\n* https://play.google.com/store/apps/details?id=com.quora.android\n* https://itunes.apple.com/us/app/quora/id456034437\n\n### **Focus Areas**\n\n* Remote code execution / shell injection\n* Vertical Authentication bypass\n* SQL injection\n\n### **Some Exclusions**\n\nWe have made conscious product tradeoffs at times and have not implemented some security best practices. Please be aware that we will not pay a bounty for reports that are only about a missing security best practice. \n\nExamples include but are not limited to:\n\n* Missing HTTP security headers, like:\n    * Strict-Transport-Security\n    * X-Frame-Options\n    * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents \n* Vulnerabilities that require physical access to the device\n* CSRF\n\n\nHaving said that, if a missing best practice can be exploited to impact our users, we do want to hear about it and will pay a bounty.\n\nVulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n\nhttps://www.quora.com/about/challenges/ is run by HackerRank is therefore excluded from the bounty program.\n\nReport product-related issues by following the instructions at this link: [https://www.quora.com/How-can-I-report-a-bug-on-Quora](https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n\nThank you for helping keep Quora and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-10-11T06:43:02.134Z"},{"id":3561458,"new_policy":"In order to achieve our mission of sharing and growing the world's knowledge, we need to maintain a secure platform for writers and readers. To that end, we run this bug bounty program to enlist the community's help in identifying and mitigating security threats. We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Quora. Every day, new security issues and attack vectors are created. Quora strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n## Program Rules\n\n* Automated security testing against the site or APIs are not allowed.\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed.\n* Follow HackerOne's [disclosure guidelines] (https://hackerone.com/guidelines).\n\n## Rewards\n\nOur rewards are based on the impact of a vulnerability. We will update the program over time based on feedback, so please give us feedback on any part of the program you think we can improve on.\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* When duplicates occur, we award the first report that we can completely reproduce.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Amounts below are the **maximum** we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n* Bugs like remote code execution, remote shell and SQL injection that can leak specific data are directly aligned with business risk that we are concerned about. These types of bug will be classified as higher risk. Bugs around security best practice that doesn't lead to vulnerability that are aligned with the business risk will be rated lower severity. \n\n**Critical severity bugs ($3000)**: Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples:\n\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n\nThere is now a bonus of **up to $7000** for valid Remote Code Execution vulnerability identified in Quora.com server code.\nNote: This bonus is only for the server code and only for the primary Quora.com features like questions, answers, comments etc.\n\n**High severity bugs ($750)**: Vulnerabilities that affect the security of the platform including the processes it supports. Examples:\n\n* Lateral authentication bypass\n* Stored XSS for another user \n* Local file inclusion\n* Insecure handling of authentication cookies\n\n**Medium severity bugs ($300)**: Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n\n* Reflective XSS \n* Insecure Direct Object References\n\n**Low severity bugs ($100)**: Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger.Examples:\n\n* Self-XSS\n* Information leaks\n\n## Scope\n\n*.[quora.com](http://quora.com/) (And only *.quora.com)\nThe latest version of Android and iOS apps installed from the official store at:\n\n* https://play.google.com/store/apps/details?id=com.quora.android\n* https://itunes.apple.com/us/app/quora/id456034437\n\n### **Focus Areas**\n\n* Remote code execution / shell injection\n* Vertical Authentication bypass\n* SQL injection\n\n### **Some Exclusions**\n\nWe have made conscious product tradeoffs at times and have not implemented some security best practices. Please be aware that we will not pay a bounty for reports that are only about a missing security best practice. \n\nExamples include but are not limited to:\n\n* Missing HTTP security headers, like:\n    * Strict-Transport-Security\n    * X-Frame-Options\n    * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents \n* Vulnerabilities that require physical access to the device\n* CSRF\n\n\nHaving said that, if a missing best practice can be exploited to impact our users, we do want to hear about it and will pay a bounty.\n\nVulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n\nhttps://www.quora.com/about/challenges/ is run by HackerRank is therefore excluded from the bounty program.\n\nReport product-related issues by following the instructions at this link: [https://www.quora.com/How-can-I-report-a-bug-on-Quora](https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n\nThank you for helping keep Quora and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-10-11T06:38:57.338Z"},{"id":3551877,"new_policy":"In order to achieve our mission of sharing and growing the world's knowledge, we need to maintain a secure platform for writers and readers. To that end, we run this bug bounty program to enlist the community's help in identifying and mitigating security threats. We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Quora. Every day, new security issues and attack vectors are created. Quora strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n## Program Rules\n\n* Automated security testing against the site or APIs are not allowed.\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed.\n* Follow HackerOne's [disclosure guidelines](https://hackerone.com/guidelines).\n\n## Rewards\n\nOur rewards are based on the impact of a vulnerability. We will update the program over time based on feedback, so please give us feedback on any part of the program you think we can improve on.\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* When duplicates occur, we award the first report that we can completely reproduce.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Amounts below are the **maximum** we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n**Critical severity bugs ($3000)**: Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples:\n\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n\nThere is now a bonus of **up to $7000** for valid Remote Code Execution vulnerability identified in Quora.com server code.\nNote: This bonus is only for the server code and only for the primary Quora.com features like questions, answers, comments etc.\n\n**High severity bugs ($750)**: Vulnerabilities that affect the security of the platform including the processes it supports. Examples:\n\n* Lateral authentication bypass\n* Stored XSS for another user \n* Local file inclusion\n* Insecure handling of authentication cookies\n\n**Medium severity bugs ($300)**: Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n\n* Reflective XSS \n* Insecure Direct Object References\n\n**Low severity bugs ($100)**: Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger.Examples:\n\n* Self-XSS\n* Information leaks\n\n## Scope\n\n*.[quora.com](http://quora.com/) (And only *.quora.com)\nThe latest version of Android and iOS apps installed from the official store at:\n\n* https://play.google.com/store/apps/details?id=com.quora.android\n* https://itunes.apple.com/us/app/quora/id456034437\n\n### **Focus Areas**\n\n* Remote code execution / shell injection\n* Vertical Authentication bypass\n* SQL injection\n\n### **Some Exclusions**\n\nWe have made conscious product tradeoffs at times and have not implemented some security best practices. Please be aware that we will not pay a bounty for reports that are only about a missing security best practice. \n\nExamples include but are not limited to:\n\n* Missing HTTP security headers, like:\n    * Strict-Transport-Security\n    * X-Frame-Options\n    * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents \n* Vulnerabilities that require physical access to the device\n* CSRF\n\n\nHaving said that, if a missing best practice can be exploited to impact our users, we do want to hear about it and will pay a bounty.\n\nVulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n\nhttps://www.quora.com/about/challenges/ is run by HackerRank is therefore excluded from the bounty program.\n\nReport product-related issues by following the instructions at this link: [https://www.quora.com/How-can-I-report-a-bug-on-Quora](https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n\nThank you for helping keep Quora and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-04-21T19:31:40.922Z"},{"id":3551867,"new_policy":"In order to achieve our mission of sharing and growing the world's knowledge, we need to maintain a secure platform for writers and readers. To that end, we run this bug bounty program to enlist the community's help in identifying and mitigating security threats. We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Quora. Every day, new security issues and attack vectors are created. Quora strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n## Program Rules\n\n* Automated security testing against the site or APIs are not allowed.\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed.\n* Follow HackerOne's [disclosure guidelines](https://hackerone.com/guidelines).\n\n## Rewards\n\nOur rewards are based on the impact of a vulnerability. We will update the program over time based on feedback, so please give us feedback on any part of the program you think we can improve on.\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* When duplicates occur, we award the first report that we can completely reproduce.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Amounts below are the **maximum** we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n**Critical severity bugs ($3000)**: Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples:\n\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n\nThere is now a bonus of **up to $7000** for valid Remote Code Execution vulnerability identified in Quora.com server code.\nNote: This bonus is only for the server code and only for the primary Quora.com features like questions, answers, comments etc.\n\n**High severity bugs ($750)**: Vulnerabilities that affect the security of the platform including the processes it supports. Examples:\n\n* Lateral authentication bypass\n* Stored XSS for another user \n* Local file inclusion\n* Insecure handling of authentication cookies\n\n**Medium severity bugs ($300)**: Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n\n* Reflective XSS \n* Insecure Direct Object References\n\n**Low severity bugs ($100)**: Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger.Examples:\n\n* Self-XSS\n* Information leaks\n\n## Scope\n\n*.[quora.com](http://quora.com/) (And only *.quora.com)\nThe latest version of Android and iOS apps installed from the official store at:\n\n* https://play.google.com/store/apps/details?id=com.quora.android\n* https://itunes.apple.com/us/app/quora/id456034437\n\n### **Focus Areas**\n\n* Remote code execution / shell injection\n* Vertical Authentication bypass\n* SQL injection\n\n### **Some Exclusions**\n\nSometimes we have made a conscious tradeoff and have not implemented the security best practice. Please be aware that we will not pay a bounty for reports that are only about a missing security best practice. \n\nExamples include but are not limited to:\n\n* Missing HTTP security headers, like:\n    * Strict-Transport-Security\n    * X-Frame-Options\n    * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents \n* Vulnerabilities that require physical access to the device\n* CSRF\n\n\nHaving said that, if a missing best practice can be exploited to impact our users, we do want to hear about it and will pay a bounty.\n\nVulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n\nhttps://www.quora.com/about/challenges/ is run by HackerRank is therefore excluded from the bounty program.\n\nReport product-related issues by following the instructions at this link: [https://www.quora.com/How-can-I-report-a-bug-on-Quora](https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n\nThank you for helping keep Quora and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-04-21T18:01:47.991Z"},{"id":3551864,"new_policy":"In order to achieve our mission of sharing and growing the world's knowledge, we need to maintain a secure platform for writers and readers. To that end, we run this bug bounty program to enlist the community's help in identifying and mitigating security threats. We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Quora. Every day, new security issues and attack vectors are created. Quora strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n## Program Rules\n\n* Automated security testing against the site or APIs are not allowed.\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed.\n* Follow HackerOne's [disclosure guidelines](https://hackerone.com/guidelines).\n\n## Rewards\n\nOur rewards are based on the impact of a vulnerability. We will update the program over time based on feedback, so please give us feedback on any part of the program you think we can improve on.\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* When duplicates occur, we award the first report that we can completely reproduce.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Amounts below are the **maximum** we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n**Critical severity bugs ($3000)**: Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples:\n\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n\nWe are announcing a bonus of **up to $7000** for valid Remote Code Execution vulnerability identified in Quora.com server code.\nNote: This bonus is only for the server code and only for the primary Quora.com features like questions, answers, comments etc.\n\n**High severity bugs ($750)**: Vulnerabilities that affect the security of the platform including the processes it supports. Examples:\n\n* Lateral authentication bypass\n* Stored XSS for another user \n* Local file inclusion\n* Insecure handling of authentication cookies\n\n**Medium severity bugs ($300)**: Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n\n* Reflective XSS \n* Insecure Direct Object References\n\n**Low severity bugs ($100)**: Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger.Examples:\n\n* Self-XSS\n* Information leaks\n\n## Scope\n\n*.[quora.com](http://quora.com/) (And only *.quora.com)\nThe latest version of Android and iOS apps installed from the official store at:\n\n* https://play.google.com/store/apps/details?id=com.quora.android\n* https://itunes.apple.com/us/app/quora/id456034437\n\n### **Focus Areas**\n\n* Remote code execution / shell injection\n* Vertical Authentication bypass\n* SQL injection\n\n### **Some Exclusions**\n\nSometimes we have made a conscious tradeoff and have not implemented the security best practice. Please be aware that we will not pay a bounty for reports that are only about a missing security best practice. \n\nExamples include but are not limited to:\n\n* Missing HTTP security headers, like:\n    * Strict-Transport-Security\n    * X-Frame-Options\n    * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents \n* Vulnerabilities that require physical access to the device\n* CSRF\n\n\nHaving said that, if a missing best practice can be exploited to impact our users, we do want to hear about it and will pay a bounty.\n\nVulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n\nhttps://www.quora.com/about/challenges/ is run by HackerRank is therefore excluded from the bounty program.\n\nReport product-related issues by following the instructions at this link: [https://www.quora.com/How-can-I-report-a-bug-on-Quora](https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n\nThank you for helping keep Quora and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-04-21T18:01:13.843Z"},{"id":3549577,"new_policy":"In order to achieve our mission of sharing and growing the world's knowledge, we need to maintain a secure platform for writers and readers. To that end, we run this bug bounty program to enlist the community's help in identifying and mitigating security threats. We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Quora. Every day, new security issues and attack vectors are created. Quora strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n## Program Rules\n\n* Automated security testing against the site or APIs are not allowed.\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed.\n* Follow HackerOne's [disclosure guidelines](https://hackerone.com/guidelines).\n\n## Rewards\n\nOur rewards are based on the impact of a vulnerability. We will update the program over time based on feedback, so please give us feedback on any part of the program you think we can improve on.\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* When duplicates occur, we award the first report that we can completely reproduce.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Amounts below are the **maximum** we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\nWith the announcement of the changes to anonymity (https://blog.quora.com/Improvements-to-Anonymity-on-Quora) there will be bonus of **$500** for valid anonymity related bugs. \n\n**Critical severity bugs ($3000)**: Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples:\n\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n\n**High severity bugs ($750)**: Vulnerabilities that affect the security of the platform including the processes it supports. Examples:\n\n* Lateral authentication bypass\n* Stored XSS for another user \n* Local file inclusion\n* Insecure handling of authentication cookies\n\n**Medium severity bugs ($300)**: Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n\n* Reflective XSS \n* Insecure Direct Object References\n\n**Low severity bugs ($100)**: Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger.Examples:\n\n* Self-XSS\n* Information leaks\n\n## Scope\n\n*.[quora.com](http://quora.com/) (And only *.quora.com)\nThe latest version of Android and iOS apps installed from the official store at:\n\n* https://play.google.com/store/apps/details?id=com.quora.android\n* https://itunes.apple.com/us/app/quora/id456034437\n\n### **Focus Areas**\n\n* Remote code execution / shell injection\n* Vertical Authentication bypass\n* SQL injection\n\n### **Some Exclusions**\n\nSometimes we have made a conscious tradeoff and have not implemented the security best practice. Please be aware that we will not pay a bounty for reports that are only about a missing security best practice. \n\nExamples include but are not limited to:\n\n* Missing HTTP security headers, like:\n    * Strict-Transport-Security\n    * X-Frame-Options\n    * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents \n* Vulnerabilities that require physical access to the device\n* CSRF\n\n\nHaving said that, if a missing best practice can be exploited to impact our users, we do want to hear about it and will pay a bounty.\n\nVulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n\nhttps://www.quora.com/about/challenges/ is run by HackerRank is therefore excluded from the bounty program.\n\nReport product-related issues by following the instructions at this link: [https://www.quora.com/How-can-I-report-a-bug-on-Quora](https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n\nThank you for helping keep Quora and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-03-22T00:36:00.541Z"},{"id":3544231,"new_policy":"In order to achieve our mission of sharing and growing the world's knowledge, we need to maintain a secure platform for writers and readers. To that end, we run this bug bounty program to enlist the community's help in identifying and mitigating security threats. We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Quora. Every day, new security issues and attack vectors are created. Quora strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n## Program Rules\n\n* Automated security testing against the site or APIs are not allowed.\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed.\n* Follow HackerOne's [disclosure guidelines](https://hackerone.com/guidelines).\n\n## Rewards\n\nOur rewards are based on the impact of a vulnerability. We will update the program over time based on feedback, so please give us feedback on any part of the program you think we can improve on.\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* When duplicates occur, we award the first report that we can completely reproduce.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Amounts below are the **maximum** we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n**Critical severity bugs ($3000**): Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples:\n\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n\n**High severity bugs ($750)**: Vulnerabilities that affect the security of the platform including the processes it supports. Examples:\n\n* Lateral authentication bypass\n* Stored XSS for another user \n* Local file inclusion\n* Insecure handling of authentication cookies\n\n**Medium severity bugs ($300)**: Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n\n* Reflective XSS \n* Insecure Direct Object References\n\n**Low severity bugs ($100)**: Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger.Examples:\n\n* Self-XSS\n* Information leaks\n\n## Scope\n\n*.[quora.com](http://quora.com/) (And only *.quora.com)\nThe latest version of Android and iOS apps installed from the official store at:\n\n* https://play.google.com/store/apps/details?id=com.quora.android\n* https://itunes.apple.com/us/app/quora/id456034437\n\n### **Focus Areas**\n\n* Remote code execution / shell injection\n* Vertical Authentication bypass\n* SQL injection\n\n### **Some Exclusions**\n\nSometimes we have made a conscious tradeoff and have not implemented the security best practice. Please be aware that we will not pay a bounty for reports that are only about a missing security best practice. \n\nExamples include but are not limited to:\n\n* Missing HTTP security headers, like:\n    * Strict-Transport-Security\n    * X-Frame-Options\n    * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents \n* Vulnerabilities that require physical access to the device\n* CSRF\n\n\nHaving said that, if a missing best practice can be exploited to impact our users, we do want to hear about it and will pay a bounty.\n\nVulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n\nhttps://www.quora.com/about/challenges/ is run by HackerRank is therefore excluded from the bounty program.\n\nReport product-related issues by following the instructions at this link: [https://www.quora.com/How-can-I-report-a-bug-on-Quora](https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n\nThank you for helping keep Quora and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-01-05T21:37:48.441Z"},{"id":3543608,"new_policy":"In order to achieve our mission of sharing and growing the world's knowledge, we need to maintain a secure platform for writers and readers. To that end, we run this bug bounty program to enlist the community's help in identifying and mitigating security threats. We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Quora. Every day, new security issues and attack vectors are created. Quora strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n## Program Rules\n\n* Automated security testing against the site or APIs are not allowed.\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed.\n* Follow HackerOne's [disclosure guidelines](https://hackerone.com/guidelines).\n\n## Rewards\n\nOur rewards are based on the impact of a vulnerability. We will update the program over time based on feedback, so please give us feedback on any part of the program you think we can improve on.\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* When duplicates occur, we award the first report that we can completely reproduce.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Amounts below are the **maximum** we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n**Critical severity bugs ($3000**): Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples:\n\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n\n**High severity bugs ($750)**: Vulnerabilities that affect the security of the platform including the processes it supports. Examples:\n\n* Lateral authentication bypass\n* Stored XSS for another user \n* Local file inclusion\n* Insecure handling of authentication cookies\n\n**Medium severity bugs ($300)**: Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n\n* Reflective XSS \n* Insecure Direct Object References\n* CSRF on sensitive actions and functions\n\n**Low severity bugs ($100)**: Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger.Examples:\n\n* Self-XSS\n* Information leaks\n\n## Scope\n\n*.[quora.com](http://quora.com/) (And only *.quora.com)\nThe latest version of Android and iOS apps installed from the official store at:\n\n* https://play.google.com/store/apps/details?id=com.quora.android\n* https://itunes.apple.com/us/app/quora/id456034437\n\n### **Focus Areas**\n\n* Remote code execution / shell injection\n* Vertical Authentication bypass\n* SQL injection\n\n### **Some Exclusions**\n\nSometimes we have made a conscious tradeoff and have not implemented the security best practice. Please be aware that we will not pay a bounty for reports that are only about a missing security best practice. \n\nExamples include but are not limited to:\n\n* Missing HTTP security headers, like:\n    * Strict-Transport-Security\n    * X-Frame-Options\n    * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents \n* Vulnerabilities that require physical access to the device\n\n\nHaving said that, if a missing best practice can be exploited to impact our users, we do want to hear about it and will pay a bounty.\n\nVulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n\nhttps://www.quora.com/about/challenges/ is run by HackerRank is therefore excluded from the bounty program.\n\nReport product-related issues by following the instructions at this link: [https://www.quora.com/How-can-I-report-a-bug-on-Quora](https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n\nThank you for helping keep Quora and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-12-21T15:03:00.228Z"},{"id":3543190,"new_policy":"In order to achieve our mission of sharing and growing the world's knowledge, we need to maintain a secure platform for writers and readers. To that end, we run this bug bounty program to enlist the community's help in identifying and mitigating security threats. We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Quora. Every day, new security issues and attack vectors are created. Quora strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n## Program Rules\n\n* Automated security testing against the site or APIs are not allowed.\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed.\n* Follow HackerOne's [disclosure guidelines](https://hackerone.com/guidelines).\n\n## Rewards\n\nOur rewards are based on the impact of a vulnerability. We will update the program over time based on feedback, so please give us feedback on any part of the program you think we can improve on.\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* When duplicates occur, we award the first report that we can completely reproduce.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Amounts below are the **maximum** we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n**Critical severity bugs ($3000**): Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples:\n\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n\n**High severity bugs ($750)**: Vulnerabilities that affect the security of the platform including the processes it supports. Examples:\n\n* Lateral authentication bypass\n* Stored XSS for another user \n* Local file inclusion\n* Insecure handling of authentication cookies\n\n**Medium severity bugs ($300)**: Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n\n* Reflective XSS \n* Insecure Direct Object References\n* CSRF on sensitive actions and functions\n\n**Low severity bugs ($100)**: Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger.Examples:\n\n* Self-XSS\n* Information leaks\n\n## Scope\n\n*.[quora.com](http://quora.com/) (And only *.quora.com)\nThe latest version of Android and iOS apps installed from the official store at:\n\n* https://play.google.com/store/apps/details?id=com.quora.android\n* https://itunes.apple.com/us/app/quora/id456034437\n\n### **Focus Areas**\n\n* Remote code execution / shell injection\n* Vertical Authentication bypass\n* SQL injection\n\n### **Some Exclusions**\n\nSometimes we have made a conscious tradeoff and have not implemented the security best practice. Please be aware that we will not pay a bounty for reports that are only about a missing security best practice. \n\nExamples include but are not limited to:\n\n* Missing HTTP security headers, like:\n    * Strict-Transport-Security\n    * X-Frame-Options\n    * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents \n\n\nHaving said that, if a missing best practice can be exploited to impact our users, we do want to hear about it and will pay a bounty.\n\nVulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n\nhttps://www.quora.com/about/challenges/ is run by HackerRank is therefore excluded from the bounty program.\n\nReport product-related issues by following the instructions at this link: [https://www.quora.com/How-can-I-report-a-bug-on-Quora](https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n\nThank you for helping keep Quora and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-12-14T01:40:27.855Z"},{"id":3543047,"new_policy":"In order to achieve our mission of sharing and growing the world's knowledge, we need to maintain a secure platform for writers and readers. To that end, we run this bug bounty program to enlist the community's help in identifying and mitigating security threats. We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Quora. Every day, new security issues and attack vectors are created. Quora strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n## Program Rules\n\n* Automated security testing against the site or APIs are not allowed.\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed.\n* Follow HackerOne's [disclosure guidelines](https://hackerone.com/guidelines).\n\n## Rewards\n\nOur rewards are based on the impact of a vulnerability. We will update the program over time based on feedback, so please give us feedback on any part of the program you think we can improve on.\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* When duplicates occur, we award the first report that we can completely reproduce.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Amounts below are the **maximum** we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n**Critical severity bugs ($3000**): Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples:\n\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n\n**High severity bugs ($750)**: Vulnerabilities that affect the security of the platform including the processes it supports. Examples:\n\n* Lateral authentication bypass\n* Stored XSS for another user \n* Local file inclusion\n* Insecure handling of authentication cookies\n\n**Medium severity bugs ($300)**: Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n\n* Reflective XSS \n* Insecure Direct Object References\n* CSRF on sensitive actions and functions\n\n**Low severity bugs ($100)**: Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger.Examples:\n\n* Self-XSS\n* Information leaks\n\n## Scope\n\n*.[quora.com](http://quora.com/)\nThe latest version of Android and iOS apps installed from the official store at:\n\n* https://play.google.com/store/apps/details?id=com.quora.android\n* https://itunes.apple.com/us/app/quora/id456034437\n\n### **Focus Areas**\n\n* Remote code execution / shell injection\n* Vertical Authentication bypass\n* SQL injection\n\n### **Some Exclusions**\n\nSometimes we have made a conscious tradeoff and have not implemented the security best practice. Please be aware that we will not pay a bounty for reports that are only about a missing security best practice. \n\nExamples include but are not limited to:\n\n* Missing HTTP security headers, like:\n    * Strict-Transport-Security\n    * X-Frame-Options\n    * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents \n\n\nHaving said that, if a missing best practice can be exploited to impact our users, we do want to hear about it and will pay a bounty.\n\nVulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n\nReport product-related issues by following the instructions at this link: [https://www.quora.com/How-can-I-report-a-bug-on-Quora](https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n\nThank you for helping keep Quora and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-12-09T19:03:01.780Z"},{"id":3542986,"new_policy":"In order to achieve our mission of sharing and growing the world's knowledge, we need to maintain a secure platform for writers and readers. To that end, we run this bug bounty program to enlist the community's help in identifying and mitigating security threats. We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Quora. Every day, new security issues and attack vectors are created. Quora strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.\n\n## Program Rules\n\n* Automated security testing against the site or APIs are not allowed.\n* Localize all your tests to the account you are using to test. Don't affect other users.\n* Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed.\n* Follow HackerOne's [disclosure guidelines](https://hackerone.com/guidelines).\n\n## Rewards\n\nOur rewards are based on the impact of a vulnerability. We will update the program over time based on feedback, so please give us feedback on any part of the program you think we can improve on.\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.\n* When duplicates occur, we award the first report that we can completely reproduce.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Amounts below are the **maximum** we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n**Critical severity bugs ($3000**): Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples:\n\n* Remote Code Execution\n* Remote Shell/Command Execution\n* Vertical Authentication bypass\n* SQL Injection that leaks targeted data\n\n**High severity bugs ($750)**: Vulnerabilities that affect the security of the platform including the processes it supports. Examples:\n\n* Lateral authentication bypass\n* Stored XSS for another user \n* Local file inclusion\n* Insecure handling of authentication cookies\n\n**Medium severity bugs ($300)**: Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples:\n\n* Reflective XSS \n* Insecure Direct Object References\n* CSRF on sensitive actions and functions\n\n**Low severity bugs ($100)**: Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger.Examples:\n\n* Self-XSS\n* Information leaks\n\n## Scope\n\n*.[quora.com](http://quora.com/)\nThe latest version of Android and iOS apps installed from the official store at:\n\n* https://play.google.com/store/apps/details?id=com.quora.android\n* https://itunes.apple.com/us/app/quora/id456034437\n\n### **Focus Areas**\n\n* Remote code execution / shell injection\n* Vertical Authentication bypass\n* SQL injection\n\n### **Some Exclusions**\n\nSometimes we have made a conscious tradeoff and have not implemented the security best practice. Please be aware that we will not pay a bounty for reports that are only about a missing security best practice. \n\nExamples include but are not limited to:\n\n* Missing HTTP security headers, like:\n    * Strict-Transport-Security\n    * X-Frame-Options\n    * X-XSS-Protection\n* Non-existent or weak captcha / captcha bypass\n* Login or “Forgot Password” page brute-forcing, and account lockout not being enforced\n* Lack of enforcement of certain product feature usage limits, such as the number of A2As\n* Lack of binary protection or obfuscation of the mobile app\n* Non-sensitive user data stored unencrypted on external storage by the mobile app\n* Crashes of the mobile app due to malformed URL schemes or intents \n\n\nHaving said that, if a missing best practice can be exploited to impact our users, we do want to hear about it and will pay a bounty.\n\nVulnerabilities in third-party libraries without proof of exploitation will not be rewarded.\n\nReport product-related issues by following the instructions at this link: [https://www.quora.com/How-can-I-report-a-bug-on-Quora](https://www.quora.com/How-can-I-report-a-bug-on-Quora).\n\nThank you for helping keep Quora and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-12-08T20:02:11.683Z"}]