By participating in this program, you agree to

• Respect the Community Code of Conduct.
• Respect the Intigriti Terms and Conditions.
• Respect the scope of the program.
• Not discuss or disclose vulnerability information without prior written consent (including PoCs on YouTube and Vimeo).

Testing approaches that are not allowed

• Exfiltration of data.
• Phishing and social engineering.
• Spam and physical intrusion.
• Using automation to brute-force login credentials.
• Manually or automatically scraping large sections of the site to enumerate user IDs, usernames, emails, or other user/employee information.
• Attempting to obtain information from other user accounts. If you believe you've found an issue that could compromise another user's data or session, use your own test accounts to demonstrate it.
• DoS/DDoS or brute-force attacks.
• Attacks requiring physical access to a victim's device, MITM, or compromised user accounts.
• Theoretical issues with no realistic exploit scenario or attack surface, or issues requiring complex end-user interaction.
• Vulnerabilities that only affect software no longer receiving security updates.
• Reports stating that software is out of date/vulnerable without a PoC.

Reporting notes:

• Recently disclosed zero-days in in-scope assets may be reported within 14 days of a public patch/mitigation, but are typically not treated as new findings.
• If a reported vulnerability was already known to us from our own testing, it will be flagged as a duplicate.

Allowed actions for critical vulnerabilities

When demonstrating a critical vulnerability, stay strictly within the following limits.

Command Injection

• Execute only benign commands (e.g. cat /etc/passwd), solely to prove code execution.

SQL Injection — limited to:

• Basic database information: SELECT database();, SELECT @@version;, SELECT user();, SELECT system_user();, SELECT @@hostname;
• Schema details: table_schema, table_name, column_name
• Mathematical, conversion, or logical queries, including time-based functions such as SLEEP, provided they do not extract data beyond the items listed above.

File read / upload

• For file reads, only access non-sensitive, demonstrable system files (e.g. /etc/passwd, /proc/sys/kernel/hostname). Anything beyond this requires prior approval from our security team.
• Example upload filename: vdp_2025-11-13.log.

Reporting requirements — include in your report:

• Source: the IP address of the device used.
• Timestamp: date, time, and timezone of your actions.
• Full HTTP requests and responses (headers and bodies).
• All uploaded files and their names.
• Callback info: IP and port for any SSRF/RCE callback.
• Any data accessed, deliberately or accidentally.

Prohibited actions

File uploads / post-exploitation

• Do not modify, alter, delete, or replace any files on the server (including system files), except files explicitly tied to your own account or to accounts with explicit owner consent.
• Do not upload files that can cause denial of service (e.g. oversized or resource-exhausting files).
• Do not upload malicious files (malware, spyware, or anything intended to compromise the system).
• Do not interrupt normal server operations (e.g. triggering a reboot or disabling services).
• Do not create or maintain a persistent connection to the server or environment.

Accessing excessive information

• Do not read files, data, or logs beyond what is necessary to demonstrate the vulnerability.
• Do not view sensitive information irrelevant to proving the issue.

Unethical behavior

• Do not fail to disclose actions taken or data accessed during testing.
• Do not test outside the agreed scope (e.g. third-party systems or domains not listed).

Response times

We aim to provide an initial response within the timelines below after your report has been received and verified by Intigriti. We'll keep you updated on triage and remediation progress.

Introduction

Welcome to the Quadcode Vulnerability Disclosure Program. We've done our best to clean up our known issues and would now like your help spotting the ones we missed.

This section lists the assets, websites, products, and services considered in scope. The list is subject to change without notice and should be reviewed before submitting a report. If you're unsure whether a finding is in scope, we'd rather you report it than hold back.

This program does not offer guaranteed monetary rewards. For exceptional reports that demonstrate significant security impact, Quadcode may, at its sole discretion, provide a monetary bonus or other form of recognition. Any such award is decided case-by-case and is not guaranteed.

Only the entities operated by the Software are in scope, in particular:

iqoption.com
*.iqoption.com
quadcode.com
*.quadcode.com

Scope areas

In-scope findings fall into the following areas. These describe the kinds of issues we're most interested in; all valid reports are triaged by their security impact.

• Trading & billing logic: money, payment, and KYC/verification business-logic issues on iqoption.com / *.iqoption.com.
• Web application: all other (technical) web vulnerabilities on iqoption.com / *.iqoption.com.
• Corporate website: web vulnerabilities on quadcode.com / *.quadcode.com.
• Asset, Data & Secret Exposure: high-impact exposure of Quadcode-owned assets, data, secrets, or infrastructure on systems outside the listed domains (a demonstrated security impact is required — see its own section).

Vulnerabilities in scope (WEB)

The following technical classes are in scope for the web-application and corporate-website areas. The trading & billing area covers the money/verification business-logic classes defined in its own section.

• RCE
• Injections
• Broken Authentication
• Sensitive Data Exposure
• XML External Entities (XXE)
• Broken Access Control (including IDOR)
• Security Misconfiguration (with a demonstrable security impact)
• Cross-Site Scripting (XSS)
• Insecure Deserialization
• SSRF (reaching internal resources, cloud metadata endpoints, or otherwise demonstrating meaningful impact)

Excluded assets

Any domain not explicitly listed in the In Scope section is out of scope. This explicitly includes:

*.cpa.iqoption.com

Excluded vulnerabilities

The following are not eligible:

• Cross-Site Request Forgery (CSRF) without a demonstrable security impact, including but not limited to login, signup, logout, notification toggles, and CSRF on forms available to anonymous users.
• Social engineering (including phishing) of any employee, contractor, or client of Quadcode or of entities operated by the Software.
• Output from security scanners and other automated systems.
• Content spoofing / text injection without a demonstrated attack vector (no ability to modify HTML/CSS).
• Weak password policies and best-practice violations (complexity, expiration, reuse, etc.).
• Mail configuration issues (SPF, DKIM, DMARC).
• Host header injection / CRLF injection without demonstrated exploitation or business impact.
• DNSSEC configuration.
• Clickjacking.
• Previously known vulnerable libraries without a working PoC.
• Missing best practices in SSL/TLS configuration (BEAST, BREACH, renegotiation, missing forward secrecy, weak/insecure cipher suites).
• Missing best practices in HTTP security headers without a working PoC (e.g. Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy and variants, Cross-Origin-Opener-Policy).
• Content Security Policy (CSP) weaknesses.
• CORS misconfiguration without demonstrated impact.
• Network-layer DoS (connection floods, HTTP GET floods, etc.).
• Application-layer DoS/DDoS (slowloris, HTTP POST floods, GraphQL abuse, etc.).
• Path disclosure.
• Reports about the mere absence of a protection mechanism or non-compliance with recommendations.
• Presence of application or browser 'autocomplete' / 'save password' functionality.
• Lack of Secure/HttpOnly flags on non-sensitive cookies.
• Lack of a security speedbump when leaving the site.
• Weak captcha / captcha bypass.
• Forgot/Change Password brute force, or lack of account lockout.
• OPTIONS HTTP method enabled.
• Username / email enumeration (via login or forgot-password error messages).
• DoS over account creation.
• Verbose messages / files / directory listings without disclosing sensitive information.
• Disclosure of technical or non-sensitive information (e.g. software version, detailed error messages).
• Bypassing rate limits, or the absence of rate limits.
• CSV injection.
• Tokens leaked to third parties.
• Email bombing.
• HTTP request smuggling without proven impact.
• Same-site scripting.
• Subdomain takeover without actually taking over the subdomain.
• Arbitrary file upload without proof of the existence of the uploaded file.
• Blind SSRF without proven business impact (pingbacks are not sufficient).
• Open Redirect without an additional demonstrated security impact (e.g. the ability to steal an authentication token).

This program follows Intigriti's triage standards

Where can we get credentials for the app?

• You can create an account by self-registering on the iqoption.com platform with your @intigriti.me email address.
• We currently do not provide credentials for testing additional user roles.