Update Highlights: Poe.com

We highly encourage all researchers who are interested in AI products to test it and help us maintain the highest possible levels of security for our users.

Introduction

We are committed to the safety and security of users on both Quora and Poe. To recognize the importance of independent security researchers who help keep our platforms secure, we offer the following bug bounty program to reward the reporting of certain qualifying security vulnerabilities. Please make sure you review the following information before reporting a vulnerability. We welcome your feedback at ([email protected]) as we continue to improve our bug bounty programs.

By participating in these programs, you agree to the following rules described below.

Program Rules

• Our rewards are based on the impact of a vulnerability and how we classify the severity of bugs. For more details, please see Issue Severity below. While CVSS calculator can be useful to get an assumption of the severity we can’t guarantee that our assessment will match its results.
• When duplicates occur, we award the first report that we can completely reproduce.
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Amounts below are the maximum we will pay per category. We aim to be fair, but all reward amounts are at our discretion.
• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.
• Follow HackerOne's disclosure guidelines here: https://www.hackerone.com/disclosure-guidelines.
• Localize all your tests to the accounts you are using to test so you don’t affect other users.
• Automated security testing against the site or APIs are not allowed.
• Vulnerabilities in third-party libraries without proof of exploitation will not be rewarded.
• Report product-related issues by following the instructions https://www.quora.com/How-can-I-report-a-bug-on-Quora.
• Employees and contractors who have worked for Quora in the last 6 months are not eligible for a bounty.

Focus Areas

• Currently we’re focused on critical vulnerabilities and personal data leaks
• poe.com
  • Android, iOS, web, and desktop apps (MacOS/Windows) are all included
  • User information, PII, Poe account information
  • bot chats
  • poe subscriptions
  • IDOR

Issue Severity

Critical severity bugs

Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc.

Examples:

• Remote Code Execution
• Remote Shell/Command Execution
• SQL Injection that leaks targeted data
• Vulnerabilities in access control to our AWS resources
• Misconfigured firewall in our AWS environment
• Jailbreaking poe server sandbox

High severity bugs

Vulnerabilities that affect the security of the platform including the processes it supports.

Examples:

• Lateral movement
• Authentication bypass
• Stored XSS for another user
• Local file inclusion
• Insecure handling of authentication cookies
• PII leakage through Poe Protocol

Medium severity bugs

Vulnerabilities that affect multiple users, and require little or no user interaction to trigger.

Examples:

• Reflective XSS
• Insecure Direct Object References

Low severity bugs

Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger.

Examples:

• Information leaks

Exclusions

The following bugs are unlikely to be eligible for a bounty:

• Missing HTTP security headers, like:
  • Strict-Transport-Security
  • X-Frame-Options
  • X-XSS-Protection
• Non-existent or weak captcha / captcha bypass
• Brute-forcing, lack of rate limits, or the ability to bypass rate limits, unless there is a demonstrable security impact
• Lack of binary protection or obfuscation of the mobile app
• Lack of SSL certificate pinning in mobile apps
• Lack of jailbreak detection
• Non-sensitive user data stored unencrypted on external storage by the mobile app
• Blind SSRF
• Any CSRF that can’t trigger state change to the user’s account
• Vulnerabilities that require physical access to the device, email address or related oauth account compromised (facebook, google)
• Phishing/spam attacks against users on the platform or Quora employees, and other findings derived from social engineering
• Self-XSS
• Tapjacking on mobile app
• DoS
• Crashes of the mobile app due to malformed URL schemes or intents
• quora.com/cdn-cgi/, poe.com/cdn-cgi/ endpoints as they are managed by cloudflare
• Brute-forcing email enumeration

Exclusions for Quora.com

• Our Help Site (https://help.quora.com) is run by a third party is therefore excluded from the bounty program.
• Our Careers Site (https://www.careers.quora.com/) is run by a third party is therefore excluded from the bounty program.
• Our Business Site (https://business.quora.com/) is run by a third party is therefore excluded from the bounty program.
• Race conditions bypassing product usage limits such as
  • voting, spam reports, thanking, space urls/names
• Paywalled content. Quora+ content is out of scope for the program.
• Space invite links

Exclusions for Poe.com

• Bot Hallucinations: As testing AI is tricky make sure results from bots are real findings and not bot Hallucinations.
• Unofficial bots: As bots are created by third parties we will only triage official bots.
  • This is the list of official bots to test: https://poe.com/explore?category=Official
• Help Site (https://help.poe.com/)

Additional Terms & Safe Harbor

You must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.

We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Please note we do not reimburse independent security researchers for the cost of any subscriptions.

Thank you for helping keep Quora and Poe users safe!