At Quickpass Cybersecurity, we encourage and welcome working with security researchers. If you are a security researcher, and believe you have found a potential security issue in the Quickpass platform, please contact us. We will make every effort to quickly resolve the problem.
Submitting a Report
After creating a report, please send it to firstname.lastname@example.org.
Please read the following rules, policies, and information on response targets to make sure you are eligible for a reward.
Quickpass Response Targets
Quickpass will make a best effort to meet the following SLAs for researchers participating in the program. We will do our best to keep you informed through the process.
Disclosure Policy and Program Rules
- A Proof of Concept (PoC) is required for all reports
- We may ask you to help confirm the fix
- Please submit a detailed report with screenshots, steps on how reproduce, and anything else that will help us validate your findings. If we can't reproduce the issue, then we can't award the report.
- If creating accounts, please keep to a limit of 3 accounts
- Make a good faith effort to avoid destruction of data, privacy violations, and anything that could degrade our service. Only interact with accounts you own.
- When there is a duplicate submission, we will only award the first report that was received (as long as it can be fully reproduced).
- Please only submit one vulnerability at a time (unless it requires additional context)
- Please refrain from:
- Social engineering (including phishing) of Quickpass staff, contractors, or customers
- Any physical attempts against Quickpass property or data centers
- Denial of service
- Brute forcing
The Following List is Out of Scope
- Attacks requiring MITM or physical access to a user's device.
- Attacks requiring attacker control over a user's email account
- Previously known vulnerable libraries without a working Proof of Concept.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
- Issues that require unlikely user interaction
- Additional Out Of Scope Targets (we don't own these properties, they are hosted on other software):
- support.getquickpass.com (our Support and Knowledgebase site, hosted on Zendesk)
- quickpass.canny.io (our customer feedback system, hosted on Canny)
- Quickpass Social Media Accounts
- getquickpass.com (our marketing website, hosted on Webflow)
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.Thank you for helping keep Quickpass and our users safe!