By participating in this program, you agree to:

• Respect the Community Code of Conduct
• Respect the Intigriti Terms and Conditions
• Respect the scope of the program
• Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Validation times

We will validate all submissions within the below timelines, once your submission has been verified by Intigriti.

This remains at the discretion of Quadcode to award.

Introduction

We are happy to announce our program! We've done our best to clean up our known issues and now would like to request your help to spot the ones we missed!

This section lists the assets, websites, products, and services that are considered in-scope and out-of-scope. This list is subject to change without notice and should be reviewed prior to submitting a finding.

Only the entities operated by the Software are in scope, in particular:

Vulnerabilities in-scope (WEB):

• RCE
• Injections
• Broken Authentication
• Sensitive Data Exposure
• XML External Entities
• Broken Access Control
• Security Misconfiguration with a demonstration of how to exploit it
• Cross-Site Scripting
• Insecure Deserialization

Allowed actions for the critical vulnerabilities:

1. Command Injection:

• Execute only benign commands via the web application or interface, such as:
  cat /etc/passwd
• Commands must only be used to demonstrate the ability to execute code.

2. SQLi are limited by the following scope:

• Retrieving basic database information:
  • Name of the current database: SELECT database(); SELECT @@version; SELECT user(); SELECT system_user(); SELECT @@hostname;
  • Accessing database schema details: SELECT table_schema; SELECT table_name; SELECT column_name;
  • Performing mathematical, conversion, or logical queries: Includes the use of functions like SLEEP or similar, provided they do not extract data (other than those explicitly listed above).

3. File Upload:

Testing vulnerabilities that may result in arbitrary file uploads or arbitrary file reads on the server must strictly adhere to the following guidelines:
Permitted Actions for File Reads

• When exploiting file read vulnerabilities, only files containing non-sensitive, demonstrable system information may be accessed. Examples include:
  • /etc/passwd, /proc/sys/kernel/hostname
• Further restrictions:
  • Any action beyond reading the aforementioned files, such as accessing sensitive or critical configuration files, requires prior approval from our security team.
• Example file name: bugbounty_2024-11-13.log.

4. Reporting Requirements:

• Provide the following details in your report:
  • Source: The IP address of the device used to perform the requests.

• Timestamp: Include the date, time, and timezone of your actions.
  • Full Server Requests and Responses: Include all HTTP requests and their corresponding responses, including headers and bodies.
  • Uploaded Files: List all uploaded files and their names.
• Callback Information: The IP address and port if a callback request (e.g., SSRF or RCE) was made.
• Accessed Data: Describe any data accessed, either deliberately or accidentally.

Assessment of Vulnerabilities Resulting from Data Leaks
If access to any services is obtained due to data leaks (e.g., authentication credentials found in leaked databases), the severity level of the issue will be determined not based on CVSS, but rather on factors such as the roles assigned to the affected account and the potential impact on our infrastructure and customers.

Additionally, we reserve the final right to determine eligibility for a bounty reward. The mere presence of valid credentials or access does not guarantee a payout, as certain accounts may belong to B2B partners or other entities that do not pose a direct risk to our customers' data.

Feedback
Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here:

Program feedback link
Please note this form will be checked periodically and should not be used for submission or support queries.

Domains

• blog.iqoption.com
• *.cpa.iqoption.com
• other domains that are not hardcoded under the In Scope Section

Application

1. Social engineering (including phishing) of any employee, contractors and/or client of Quadcode and/or of the entities operated by the Software;
2. Messages from security scanners and other automated systems;
3. Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS;
4. Weak password policies;
5. Mail configuration issues including SPF, DKIM, DMARC settings;
6. Host header injection without exploitation;
   CRLF and Host header injection without exploitation;
7. DNSSEC configuration;
8. Clickjacking;
9. Unauthenticated/logout/login/signup, enable/disable notification CSRF;
10. Previously known vulnerable libraries without a working Proof of Concept;
11. Missing best practices in SSL/TLS configuration;
12. Missing best practices in HTTP headers configuration without a working Proof of Concept:
    - Strict-Transport-Security
    - X-Frame-Options
    - X-XSS-Protection
    - X-Content-Type-Options
    - Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
    - Content-Security-Policy-Report-Only
13. Network disruption of service (DoS) attacks (i.e. connection floods, HTTP GET floods, etc);
14. Path disclosure;
15. Reports about the absence of a protection mechanism or non-compliance with recommendations;
16. CSP (content security policy);
17. SSL Issues, e.g.:
    • SSL Attacks such as BEAST, BREACH, Renegotiation attack
    • SSL Forward secrecy not enabled
    • SSL weak / insecure cipher suites
18. CSRF on forms that are available to anonymous users (e.g. the contact form);
19. Logout Cross-Site Request Forgery (logout CSRF);
20. Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality;
21. Lack of Secure/HTTPOnly flags on non-sensitive cookies;
22. Lack of Security Speedbump when leaving the site;
23. Weak Captcha / Captcha Bypass;
24. Forgot/Change Password page brute force and account lockout not enforced
25. OPTIONS HTTP method enabled;
26. CORS;
27. Username / email enumeration:
    • via Login Page error message
    • via Forgot Password error message
28. DoS over account creation
29. Verbose messages/files/directory listings without disclosing any sensitive information
30. Disclosure of technical or non-sensitive information* (e.g. software version, detailed error messages)
31. Bypassing rate-limits or the non-existence of rate-limits.
32. Best practices violations (password complexity, expiration, re-use, etc.)
33. CSV Injection
34. Tokens leaked to third parties
35. Email bombing
36. HTTP Request smuggling without any proven impact
37. Same-site scripting
38. Subdomain takeover without taking over the subdomain
39. Arbitrary file upload without proof of the existence of the uploaded file
40. Blind SSRF without proven business impact (pingbacks aren't sufficient)
41. Host header injection without proven business impact
42. Application-layer DoS/DDoS attacks (e.g., slowloris, HTTP POST floods, GraphQL abuse, etc.)
43. Open Redirect without demonstration an additional security impact (e.g. ability to steal authentication token)

General

The following testing approaches and attacks are not allowed as part of this program:

• Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
• Exfiltration of data
• Phishing
• Attempting to obtain information from other user accounts. If you believe you've found an issue that may result in compromising the data or session of another user account, we ask that you utilize your own testing accounts in this situation.
• Using automation to brute force login credentials
• Manually or using automation to scrape large sections of this site to enumerate user IDs, usernames, emails, or other user/employee information
• In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
• Spam, social engineering and physical intrusion
• DoS/DDoS attacks or brute force attacks
• Vulnerabilities that only work on software that no longer receive security updates
• Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
• Reports that state that software is out of date/vulnerable without a proof-of-concept

Prohibited actions:

1. Post-Exploitation: Prohibited Actions for File Uploads:

• Modification or alteration of files:
  • Uploading files that modify, alter, delete, or replace any files on the server, including system files, is strictly forbidden. Exceptions are only allowed for files explicitly associated with your account or accounts for which explicit consent has been granted by the respective user.
• Denial-of-Service (DoS) through file uploads:
  • Uploading files that can cause a denial of service (e.g., excessively large files or those designed to exhaust resources) is prohibited.
• Malicious file uploads:
  • Uploading malicious files, such as malware, spyware, or other files intended to compromise the system, is strictly forbidden.
• Interrupting normal server operations (e.g., triggering a reboot or disabling services).
• Creating and maintaining a persistent connection to the server or environment.

2. Accessing Excessive Information:

• Intentionally reading files, data, or system logs beyond what is necessary to demonstrate the vulnerability.
• Viewing sensitive information that is not relevant to proving the issue.

3. Unethical Behavior:

• Failing to disclose all actions taken or data accessed during the testing process.
• Testing outside of the agreed scope (e.g., third-party systems or domains not listed in scope).

This program follows Intigriti's triage standards

Where can we get credentials for the app?

• You can self-register on the iqoptions.com platform but please don’t forget to use your @intigriti.me address.
• We currently don’t offer any credentials to test user roles.