The Quiver HackerOne program is currently (temporarily) suspended. We ask you for your understanding in this matter.

While Quiver has designed and built its technology with strong security and privacy in mind, we do know that security is always evolving and total security is impossible to reach. Quiver believes that working with skilled security researchers across the globe is crucial in identifying any remaining weaknesses in our technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Because of the constant and massive amount of scans being performed against our environment we have to add the following rule: Any kind of automated scans are not permitted. Reports stemming from automated scans will not be eligible for a bounty and risk being marked as Not Applicable or Spam (even if you rewrote the finding in your own words).

Disclosure Policy

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
• Provide us a reasonable amount of time to resolve the issue and consult with us before any disclosure to the public or a third-party.
• We do not allow privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder, don't attempt to access other people's private data.
• Moving beyond "proof of concept" is not accepted, when in doubt please contact us.

In Scope

• Website https://quiver.net
• Website https://home.quiver.net
• Android application (https://play.google.com/store/apps/details?id=quiver.is.awesome.android)
• iOS application (https://itunes.apple.com/us/app/quiver-secure.-track.-control./id968080277)

Bounty Program

To show our appreciation of responsible security researchers, Quiver offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion. To receive rewards, you must be the first reporter of a vulnerability. Reporters who do not comply with the rules stated on this page will not be eligible for any rewards. Note: We are currently still in private mode on HackerOne, to be added to our program, please send an email to [email protected]

Exclusions

While researching, we'd like to ask you to refrain from:

• Any kind of Denial of Service
• Any kind of brute force or flood based attacks
• Social engineering (including phishing) of Quiver staff or contractors
• Any physical attempts against Quiver property or data centers
• Spamming
• Use of automated (high traffic) tools (e.g. skipfish, dirbuster)
• Missing cookie flags on non-sensitive cookies
• Reports from automated tools or scans
• Missing HTTP security headers (unless you provide a proof of concept indicating their importance)
• Reports of insecure SSL/TLS ciphers (unless you provide a proof of concept indicating the importance)
• XSS vulnerabilities that are exploited by manually intercepting and editing traffic on the network
• Configuration issues not controlled by Quiver (e.g. Azure services)
• Mass creation of accounts, folders or files

Thank you for helping keep Quiver and our users safe!