Vulnerability reporting policy

How to report security vulnerabilities to Qminder in a responsible disclosure manner.

Siim Raud avatar
Written by Siim Raud
Updated over a week ago

Qminder believes in a program that fosters collaboration amongst security professionals to help protect our systems and customers’ personal information from malicious activity due to vulnerabilities against our networks, web and mobile applications and set security policies across our organization. We treat the security and safety of our customers’ personal information with utmost importance.For the protection of our customers, Qminder does not disclose, discuss or confirm security matters until comprehensively investigating, diagnosing and fixing any known issues.

The primary contact for security vulnerabilities is security@qminder.com.

Please do not contact our Support (live chat) or support@qminder.com with security vulnerability reports. Our Support staff will simply ignore those requests :)

Program rules

  • Do not intentionally harm the experience or usefulness of the service to others, including degradation of services & denial of service attacks.

  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

  • Do not disclose the reported vulnerability to others until we’ve had reasonable time to address it.

Program eligibility

  • You must agree and adhere to the Program Rules and Legal terms as stated in this policy.

  • You must be the first to report the issue in order to be eligible for bounty.

  • You must be available to supply additional information, as needed by our team, to reproduce and triage the issue.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Priority system & reward tiers

Qminder uses Bugcrowd's Vulnerability Rating Taxonomy to prioritize security issues. Any security issues with P3, P4 or P5 priority will usually be scheduled for improvement later down the road - and are not eligible for a reward.

Program scope

Any third-party products that are utilized by Qminder (such as Google Analytics, TrackJS, Intercom, et al) are out of scope!

Included:

  • api.qminder.com

  • dashboard.qminder.com

  • AWS Lambda services with exposed HTTPS access, that provide functionality for the above domains

Excluded:

  • Google Analytics 360 Suite

  • Third-party analytics tools

  • TrackJS

  • Intercom

  • SendGrid, and other third party vendors

Excluded vulnerabilities

The following categories of reports are considered out of scope for our program and will not be rewarded:

  • Denial of Service attacks.

  • Brute Force attacks.

  • Reports related to the following security-related headers: Strict Transport Security (HSTS), XSS mitigation headers (X-Content-Type and X-XSS-Protection), X-Content-Type-Options, Content Security Policy (CSP) settings

  • Publicly-released bugs in internet software within 7 days of their disclosure.

  • "Advisory" or "Informational" reports that do not include any Qminder-specific testing or context.

  • Vulnerabilities requiring physical access to the victim's unlocked device.

  • Content Spoofing.

  • Descriptive error messages or headers (e.g. Stack Traces, application or server errors, banner grabbing).

  • Bugs that do not represent any security risk - these should be reported to support@qminder.com.

  • Full-Path Disclosure on any property.

  • Disclosure of known public files or directories.

  • Use of outdated software / library versions.

  • Use of a known-vulnerable library without a description of an exploit specific to our implementation

  • OPTIONS / TRACE HTTP method enabled.

  • CSRF on logout.

  • Cookies that lack HTTPOnly or Secure settings.

  • Self-XSS and issues exploitable only through Self-XSS.

  • Reports from automated tools or scans.

  • Attacks requiring physical access to a user's device or MITM attacks.

  • Attacks dependent upon social engineering of Qminder employees or vendors.

  • Username enumeration based on login, forgot password, account creation and registration pages.

  • Mail configuration issues including SPF, DKIM, DMARC settings.

  • Lack of email address verification during account registration.

  • Rate-limiting issues. You can submit rate-limit issues related to the Qminder API.

  • Issues related to active sessions after password changes.

  • Reports of credentials exposed by other data breaches / known credential lists.

  • Lack of crossdomain.xml, p3p.xml, robots.txt or any other policy files and/or wildcard. presence/misconfiguration in these.

  • Lack of obfuscation in mobile apps.

  • Absence of certificate pinning.

  • Lack of jailbreak detection in mobile apps.

Qminder reserves the right to add to and subtract from the Exclusions list depending on the evaluated severity of reported vulnerabilities and risk acceptance.

Rewards

As a general guideline, Qminder does not reward security issues with a Bugcrowd VRT priority level less than P3.

All bounty amounts will be at the discretion of the Qminder Bug Bounty team and will be evaluated for severity, impact, and quality of the report. There could be submissions for which we accept the risk and will not fix.

Qminder uses the Bugcrowd VRT priority level as a helping tool to help decide on if to reward a bug submission. Our reward panel will review each vulnerability submission for eligibility and final reward consideration. Final reward amounts are at the sole and final discretion of Qminder's reward panel. In some instances, our reward panel may choose higher rewards for unusually major, clever or complex vulnerability submissions.

If we receive several reports for the same issue, we offer the reward to the earliest report for which we have enough actionable information to identify the issue.

If a single fix resolves multiple vulnerabilities, we treat this as a single vulnerability, which will receive a single bounty.

Rewards may be reduced or declined if there is evidence of abuse, such as data exfiltration or withholding reports in order to chain multiple issues together.

What to include in your report

A well-written report will allow us to more quickly and accurately triage your submission.

Please be aware that the quality of your report is critical to our evaluation of your submission. We encourage you to use the list below as a template for your report. This does NOT mean you need to fully exploit the issue, just provide the information with as much detail as possible.

  • A clear description of the issue, including the impact you believe it has on the user, Qminder, others.

  • What are all the steps required to reproduce the issue? Specific reproduction steps including the environment used for testing (browsers, devices, tools, configuration) and any accounts used during testing.

  • State the name of the applicable product or platform, including the version numbers.

  • What is the impact of your issue?

  • Your recommendations to resolve the issue.

  • What are some scenarios where an attacker would be able to exploit this vulnerability? A proof of concept or functional exploit code would be helpful.

Legal

Qminder reserves the right to modify terms and conditions of this program and your participation in the program constitutes acceptance of all terms. Please check this site regularly as we routinely update our program terms and eligibility, which are effective upon posting. We reserve the right to cancel this program at any time. Must be 18 or older to be eligible for an award.

Did this answer your question?