Vulnerability Disclosure Program

Qwilr understands that securing the data our customers entrust us with is a big responsibility. A responsibility that we don't take lightly. We value security researchers and the broader security community's efforts to improve security and privacy online.

Qwilr's vulnerability disclosure program aims to value and recognise security researchers who responsibly disclose vulnerabilities to us, explain the conditions and how we will manage disclosed vulnerabilities (including safe-harbour provisions), giving both customers and security researchers confidence in our processes to ensure Qwilr, our customers and their data remain secure.

Guidelines

Qwilr requires that all researchers:

  • Make a good faith effort to avoid violations of privacy, degradation of user experience, disruption to production systems, and destruction of data during security testing
  • Perform research only within the scope set out below
  • Limit the number of accounts created to three
  • Provide a report through one of our support channels, including:
    • A description of the location and potential impact of the vulnerability
    • A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, or video recordings - we particularly like Loom)
    • The names of any test users/accounts you have created
  • Wait for our consent to discuss a vulnerability with other parties
  • Allow us to engage a neutral third party to assist if communications or other problems arise

Response Targets

Qwilr will make best efforts to respond to submissions in the following timeline:

  • Time of first response - 3 business days from submission
  • Time to triage - 10 business days from submission
  • Time to remediation - Will vary based on the complexity and level of risk

We aim to keep our security researchers updated throughout the process.

In Scope Targets

  • qwilr.com
  • api.qwilr.com
  • app.qwilr.com
  • idp.qwilr.com
  • springboard.qwilr.com
  • any other Qwilr sites that include a security.txt file (i.e. https://<site>/.well-known/security.txt)

Out of Scope

The following attacks or reports are out of scope:

  • Missing best practices in SSL/TLS configuration
  • Missing best practices in Content Security Policy
  • Missing security headers which don’t directly lead to a vulnerability or account compromise
  • Presence of common public files, such as robots.txt or files in the .well-known directory
  • Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
  • Password policy issues, including lack of upper limit on passwords
  • Issues related to rate limiting, brute forcing (including account enumeration)
  • Self-exploitation issues (such as self XSS, cookie reuse, self denial of service, etc.)
  • Attacks requiring Man-in-the-middle (MITM) or physical access to a user's device
  • Vulnerabilities affecting users of older browsers (Less than two versions behind the most recent stable version)
  • Previously known vulnerable libraries without a working Proof of Concept
  • Clickjacking issues, unless you can demonstrate an account takeover or disclosure of sensitive information
  • UI and UX bugs (including spelling mistakes)
  • Qwilr social media accounts
  • Sites provided to Qwilr by other organisations, including:

In the interest of the safety of our staff and our customers, the following test types are also out of scope:

  • Social engineering or phishing of Qwilr’s workforce
  • Any attacks against Qwilr’s physical property, offices or data centres
  • Any attacks against other users of Qwilr

Things we do not want to receive

In the unlikely scenario you discover any sensitive information we request that you either describe or redact the below information in your submission.

  • Personally Identifiable Information (PII)
  • Cardholder data, such as credit or debit card details

Rewards

Qwilr may at its sole discretion offer nominal rewards (including monetary rewards) for new vulnerability reports. Qwilr will base any rewards on the completeness of the report and the risk to Qwilr and its customers (rather the severity). All security researchers who have worked with us to improve the security of Qwilr will be added to our Hall of Fame.

Higher Risk: AUD $500

  • Examples: Remote code execution, unrestricted access to underlying file systems or databases, or vulnerabilities bypassing significant security controls.

Medium Risk: AUD $250

  • Examples: Elevated privileges or unauthorised access to other Qwilr customer accounts, or vulnerabilities that lead to significant access of customer generated content.

Lower Risk: AUD $50

  • Examples: The ability to deliver malicious content to individual creators or consumers of Qwilr, such as XSS, SSRF, and open redirects.

Others : Recognition on Qwilr's Hall of Fame

  • Valid security vulnerabilities that don’t fall into the above ratings or apply to third-party of external services.

Submissions from people who are subject to international sanctions will not be eligible for monetary rewards.

Safe Harbour

Any activities conducted in a manner consistent with this program will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this program.

Modified: 2023-03-23