If you believe you may have found a security vulnerability in Quivre, please email me ASAP at security@quiv.re with detailed steps to reproduce, and a clear description of any potential impact.
Please read this page carefully. Blatantly invalid reports may not get a response, thank you!
I kindly request that during your research, you make every effort to strictly maintain the privacy and integrity of Quivre user data - and to avoid degrading Quivre's service.
Once you've reported an issue, please give me a reasonable amount of time to reply and to fix any reported vulnerabilities before making the issue public.
In exchange, I promise to investigate reports as quickly as I can - and I agree to not take any legal action against you for your research.
Full credit for any discovery is of course yours (if you want it) in any public postmortem published after bugs have been fixed.
And as a gesture of appreciation for security research efforts, I'm offering a money reward for valid reports (see below).
For a reward to be valid, it must satisfy ALL of the criteria below.
Please keep in mind that >99% of reports are little more than spam. Invalid reports that have not followed these instructions may not always get a response, thanks for understanding!
Ultimately it will be solely at my discretion which reports qualify for a monetary reward.
Qualifying reports will receive a minimum of €20 and a maximum of €200, determined solely at my discretion based on severity and the number of affected users.
Payments will be made by PayPal, and any taxes or other fees are solely the recipient's responsibility.
(Note: Quivre is currently a private side project for me, I'll try ramp up the rewards as I'm able to).
Researcher | Vulnerability | Reported | Fixed | Paid |
Hazard | External "_blank" links were vulnerable to "tabnabbing" in vulnerable browsers. | 2020-12-05 | <6 hours | €30 |
Muskan Shaikh | During sign-up, was possible to see if an email address was already registered. | 2020-11-08 | <2 hours | €30 |
Anonymous | HSTS was only being applied to main domain (www.quiv.re), and not quiv.re. | 2020-09-03 | <3 hours | €20 |
maSScan | Login rate limiter could be bypassed using null characters in username. | 2020-09-02 | <1 hour | €30 |
Arjun Singh | HTML injection vulnerability in private consent URL (not normally shared, so low practical significance). | 2020-06-26 | <48 hours | €30 |
avn | Missing Feature Policy HTTP header. | 2020-06-18 | <48 hours | €30 |
Virendra Tiwari | Theoretical vulnerability against CVE-2013-3587. | 2020-04-27 | <17 hours | €20 |
Virendra Tiwari | Back button could expose a user's Quivre code (but not answers) after logout. | 2019-10-22 | <4 hours | €40 |
Amal Thamban | TLS 1.0 (weak) supported for old browsers. | 2019-09-25 | <6 hours | €20 |
Amal Thamban | Risk of email spoofing (had SPF+DKIM but no DMARC). | 2019-09-23 | <6 hours | €50 |
Ashik S N | Practical HTML injection vulnerability in Quivre code links. | 2019-07-08 | <5 hours | €50 |