UPDATE (2020/12/18): The Bug Bounty Program has been temporarily suspended until further notice. Any pending cases and payments will be processed per terms below.
Summary
Quadency recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”) described on this page.
Details
A report must be valid, in scope report in order to qualify for a bounty. Quadency will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.
Program Policies
Quadency pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, and accidental violations. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in the scope of the Bug Bounty Program.
Please submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy. This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.
We believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.
Important: Any testing activity that can be disruptive to the platform services or user experience must be announced to the team ahead of time. Not doing so will disqualify any bounty rewards resulting from disclosure thereafter.
Researcher Requirements
Complying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”. Responsible Disclosure includes:
Providing Quadency a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.
Making a good faith effort to preserve the confidentiality and integrity of any Quadency customer data.
Not defrauding Quadency customers or Quadency itself in the process of participating in the Bug Bounty Program.
Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Quadency.
Reporting vulnerabilities with no conditions, demands, or ransom threats.
Quadency considers Social Engineering attacks against Quadency employees be a violation of Program Policies. Researchers engaging in Social Engineering attacks against Quadency employees will be banned from the Quadency Bug Bounty program. We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.
Report Evaluation
In order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Quadency that harms Quadency or Quadency customers. Reports that include a clear Proof of Concept or specific step-by-step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.
A report must be valid, in scope report in order to qualify for a bounty. Quadency awards bounties based on the severity of the vulnerability. We determine severity based on two factors: Impact and Exploitability.
Impact describes the effects of successful exploitation upon Quadency systems or customers. We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information. Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have a greater impact. For example:
Critical Impact: Attackers can read or modify Sensitive Data in a system, and execute arbitrary code on the system.
Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact the accuracy and performance of the system.
Exploitability describes the difficulty of actively exploiting the vulnerability itself. We make this assessment primarily based on the prerequisites for exploitation, including the level of access required, availability of information critical for successful exploitation, and the likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements. For example:
Critical Exploitability: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.
Low Exploitability: Exploitation is difficult due to several requirements, such as access limitations, complicated social engineering, guessing unknown values, or alignment of unpredictable race conditions.
Severity is determined as a combination of Impact and Exploitability. For example:
Critical Severity: a state of immediate, easily accessible threat of large-scale compromise or irreversible damage to Quadency or Quadency customers.
Low Severity: a state of no immediate threat where an opportunity exists for an improvement that may mitigate a potential future vulnerability.
In order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Quadency uses the severity of a report to place the report into one of the following tiers.
The payouts listed next to each tier are minimum bounties for the tier. Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation. Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.
Previous bounty amounts are not considered precedent for future bounty amounts. Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.
Scope
The Quadency Bug Bounty program scope covers all software vulnerabilities in services provided by Quadency.
Specific domains hosting Quadency services are provided below:
https://.quadency.com (All assets on quadency.com and subdomains, excepting services provided by third parties)
Please view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Quadency has acquired are not in the scope of the bug bounty program unless they are specifically added to the scope section and declared in scope.
Additionally, all vulnerabilities that require or are related to the following are out of scope:
Social engineering
Physical security
Non-security-impacting UX issues
Deprecated Open Source libraries are not in scope. If you would like to report a vulnerability for one of these libraries, please submit it on GitHub via an issue or PR.
Vulnerabilities or weaknesses in third-party applications that integrate with Quadency
Ability to abuse existing banking functionality such as ACH or credit card chargebacks
If you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.
Reporting Vulnerability
To report a vulnerability, be sure you've read this page in its entirety, then email [email protected] with details on the issue and how to reproduce it.
Our team generally reviews all submissions immediately, and if deemed necessary, will evaluate the findings in a timely manner and respond back within 2 weeks. Due to the volume of low severity submissions, we cannot acknowledge and respond to each and every report. If you do not receive a response within 2 weeks, your report likely is below the "low" tier or has already been reported previously.
Please note: DO NOT engage with Live Chat support for security-related issues. Only reports sent to the email above will be reviewed. Any follow-ups on status through any other channels including social media, live chat, or main support email are not reviewed by the security team.
Fine Print
We reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.
The current Bug Bounty Program as described on this page is v1.0 of our Bug Bounty Program.
You might be interested in