Qwant

About us
QWANT is an European search engine that values you as a user, not as a product.

Overview
Qwant values the contribution of security researchers and invites them to participate in our Bug Bounty Program. This program aims to encourage responsible reporting of potential security vulnerabilities in our systems. By participating, researchers agree to adhere to these guidelines, which are designed to protect both Qwant and the researchers.

Qwant reserves the right to modify, suspend, or terminate the Bug Bounty Program at any time. Decisions regarding reward eligibility and amounts are at Qwant's sole discretion.

Qwant appreciates the efforts of the security community and looks forward to collaborating to enhance the security of our platform. We encourage researchers to approach this opportunity with responsibility and professionalism.

Rewards

Qwant will offer a minimum reward of 100€. There is no maximum reward as it will be determined by Qwant security team according to the level of criticity and impact of the reported vulnerability.

Any non-security related issue (bug, wrong interface/API behavior, ...) will not be eligible for a money reward and should be sent to https://about.qwant.com/en/contact/.

Guidelines and policy

• Non-Disruption: Participants must avoid any action that would disrupt services or compromise any Personally Identifiable Information (PII) data.
• Responsible disclosure: Participants are required to privately report vulnerabilities directly to Qwant though YesWeHack platform and refrain from public disclosure until the issue is resolved. Only the first reporter of a unique vulnerability will be considered for a reward, otherwise the issue will be triaged as Duplicate.
• Participants eligibility: Current or former employees of Qwant are not eligible to participate in this program.
• Prohibited techniques: The use of brute force methods, scanners, or any attempts to perform a Denial of Service (DoS) attack on our platform are strictly prohibited.
• Legal compliance: All activities must comply with applicable local, state, national, and international laws.
• Scope adherence: Participants must stay within the defined scope of the program.
• Physical security and social-engineering: Social-engineering or physical attacks against Qwant employees, offices, contractors, vendors, service providers or data centers are stricly prohibited.
• Code of conduct: Participants are encouraged to approach this program with a constructive and professional attitude.
• Acceptance of terms: Participation in this program constitutes acceptance of these guidelines.
• Violation of terms: Failure to adhere to these guidelines may result in exclusion from the program and potential legal consequences at Qwant's sole discretion

Qualifying vulnerabilities
The qualifying vulnerabilities that will be rewarded accordingly to the issue severity include, but are not limited to:

• Authentication and Authorization Flaws
  • Authentication bypass.
  • Broken access control / session management.
  • Privilege escalation.
• Injection Flaws / Remote Code Execution
  • SQL, NoSQL, and ORM injection.
  • LDAP injection.
  • Command injection.
• Cross-Site Scripting (XSS) and related flaws
  • Stored and reflected XSS.
  • DOM-based XSS.
  • Cross-site request forgery (CSRF).
• Server-Side Vulnerabilities
  • Remote code execution.
  • Server-side request forgery (SSRF).
  • Insecure direct object references.
• Cryptography Issues
  • Weak encryption.
  • Insecure usage of cryptography.
• API Security Issues
  • Broken object level authorization in APIs.
  • Broken function level authorization in APIs.
  • Excessive data exposure through APIs.
• Other miscellaneous vulnerabilities
  • File upload vulnerabilities.
  • Directory traversal.
  • Local file inclusion (LFI) and remote file inclusion (RFI).
• Data Exposure and Leakage
  • Sensitive data exposure.
  • Sensitive information disclosure.
• Security Misconfiguration
  • Misconfigured HTTP headers with security impact.
  • Insecure default configurations.
  • Exposed administrative interfaces.
• Outdated Components depending of the security impact
  • Using components with known vulnerabilities.
  • Lack of regular updates or patching.

Non-qualifying issues
Non-qualifying issues that will lead to Invalid, Not applicable, Out of scope or Duplicate status include, but are not limited to:

• Low Impact and Theoretical Issues
  • Self-XSS vulnerabilities.
  • Clickjacking with no demonstrated impact.
  • Text injection without a demonstrated security impact.
• Speculative reports
  • Hypothetical vulnerabilities without practical exploitation scenarios.
  • Unreviewed scanners outputs
• Commonly excluded vulnerabilities
  • Missing security headers without demonstrable impact.
  • SSL/TLS best practices violations.
  • Best practice violations in SPF, DKIM, and DMARC settings.
• Third-Party issues
  • Vulnerabilities in external applications or services that are not managed by Qwant.
  • Issues affecting outdated browsers or platforms.
• Client-Side / Local Issues
  • Issues only affecting outdated or unpatched browsers.
• Social Engineering and Physical Attacks
  • Phishing or other forms of social engineering.
  • Any physical attempts against Qwant property or data centers.
• Denial of Service
  • DoS/DDoS vulnerabilities.
  • Rate limiting or resource exhaustion issues.
• Misconfigurations with limited impact
  • Minor misconfigurations with no direct security implications.
• Other issues without impact
  • Content spoofing or text injection issues without security implications.
  • Missing CSRF tokens on low-risk functionalities or others CSRF with minimal impact
  • Account enumeration and guessable user accounts.
  • Issues related to password policies.
  • Host header injection without impact on security
  • Application or server error messages
  • Non-sensitive (i.e., non-session) cookies missing the Secure or HttpOnly flags
  • Password or account recovery policies, such as reset link expiration or password complexity
  • Presence of application or web browser "autocomplete" or "save password" functionalities
  • Version numbers / banners disclosure on public facing services