Bug Bounty Program

‍

• Bug Bounty Program Registration Shortcut Link
• Bug Bounty Program Acceptance Form Download
• Bug Bounty Program Terms and Conditions Shortcut Link
• Bug Bounty Program Hall of Fame 🏆️

‍

‍

Compliance Bounty Program

‍

• Compliance Bounty Program Register Shortcut Link
• Compliance Bounty Program Terms and Conditions Shortcut Link

‍

‍

Bug Bounty Program

‍

‍

1. Program Introduction

‍

The QueryPie bug bounty program is instituted to find the vulnerabilities in QueryPie services and provide a more safe and secure service to customers. The purpose of the bug bounty program is to quickly recognize and patch security vulnerabilities present in any of the QueryPie services and to provide appropriate rewards to users participating in the bug bounty program.

‍

‍

2. Scope

‍

To target vulnerabilities and bugs arising from the following QueryPie services.

• QueryPie Products

Note that the program is limited to the aforementioned services, and any reports that do not cover these services would be ineligible for a reward.

‍

‍

3. Rewards and Bounties

‍

Refer to the Terms and Conditions of the program - Bug Bounty Program Terms and Conditions

• Only the first public disclosure of an unknown issue or vulnerability is eligible for a bounty.
• Bounties are paid based on the severity of the vulnerability/bug and are solely at the discretion of the Company.
• Rewards may be denied if there is evidence of any violation of the program terms and conditions.

‍

‍

4. Conditions for Reward Ineligibility

‍

• Enumerate accounts/emails using brute force attack
• Publicly-known Vulnerabilities
• Physical attacks
• HTTP Host Header XSS
• Denial-of-Service(DoS) Attack
• Missing Security HTTP Headers
• Page tampering using error pages
• All applications not part of the QueryPie services
• Internal Scanning, Exploitation or Data Leakage
• If the vulnerability is not reproduced at the time of reporting
• In case of violation of the terms and conditions of this program
• If the vulnerability is not reproduced
• A Zero Day Vulnerability that has not been corrected
• Clickjacking/UI Redressing
• Missing cookie flags
• "Self" XSS
• Exposing the server's application information
• Client-side autocomplete or saved passwords/credentials
• Security, CSP header-related vulnerabilities
• Social Engineering attacks
• Other vulnerabilities deemed to be free from any security threats
• If the vulnerability is replicated and the Company is already aware of it

‍

‍

5. Disclosure Policy and Restrictions

‍

The company strives to fix and respond to any reports it receives through bug bounty as soon as possible.

‍

• Until the company receives a bug bounty report and the vulnerability/bug is fixed and improved, information about the vulnerability cannot be disclosed or shared with third parties without the company's written consent.
• Any actions that may affect users and services, such as using the results obtained from the bug-bounty program to damage or tamper data, are strictly prohibited.
• Participants are requested to stop once they encounter any personally identifiable information, such as access to systems, accounts, users, or user data. Any act of processing, storing, transmitting, or accessing the data discovered is strictly prohibited.
• Testing of third-party applications and services linked to the Company services is strictly prohibited.

‍

‍

6. Reporting

‍

Users are requested to report the Bug Bounty through this link and include the following details:

‍

• Vulnerability name
• How to find the vulnerability
• Code to reproduce the bug/vulnerability found
• Services or domains that are affected by the vulnerability
• Description of how the vulnerability could pose a security threat

When reporting a vulnerability, the participants are deemed to have agreed to 8. Bug Bounty Program Terms and Conditions mentioned below.

‍

‍

7. Review Period

‍

Once a bug bounty report is submitted, the QueryPie Bug Bounty team goes through its internal screening process and it may require 4 weeks for its review.

In case the team finds one’s reported vulnerability as valid and requires additional days(after 4 weeks) to finalize its review, the team may contact participants and announce its delay.

‍

‍

8. Bug Bounty Program Terms and Conditions

‍

The detailed terms and conditions can be checked here.

※ In addition to technical vulnerabilities and bugs, for any compliance and product suggestion, please report to the Compliance Bounty Program. Should you have any inquiries, please contact bounty@querypie.com. The QueryPie team does NOT accept inquiries from any other channels.

‍

--------------------------------(밑줄 필요)

‍

Compliance Bounty Program

‍

‍

1. Program Introduction

‍

The QueryPie Compliance Bounty Program is intended to provide appropriate rewards to users who actively review and improve compliance per the policies and laws related to service use, stability, and content adequacy.

‍

‍

2. Scope

‍

In relation to compliance and information protection issues in the services associated with QueryPie (Homepage, etc.), users can make suggestions (reports) as follows:

‍

• Violation of or non-compliance with laws and guidelines related to compliance and information protection.
• Adequacy of compliance and information protection-related content and measures to improve errors.
• Personal information over-exposure and potential privacy breaches.
• Improvement and addition of existing functions to enhance the level of user (personal) information protection of QueryPie services.
• Request for planning new services (UI, UX, content, etc.)
• Third-Party Interworking Development Request, etc.

※ For technical vulnerabilities and bugs in the service, please use the QueryPie Bug Bounty Program. If a bug bounty case is submitted to the Compliance Bounty Program, the team may reject it or process its review without a reward.

‍

‍

3. Rewards and bounties

‍

Refer to the Terms and Conditions of the program - Compliance Bounty Terms and Conditions

‍

• Distribution of rewards is at the discretion of the Company and is confirmed after a thorough review of non-compliance in relation to the major governing laws and guidelines, service stability, and improvements.
• Rewards may be denied if there is evidence of any violation of the program terms and conditions.

‍

‍

4. Conditions for Reward Ineligibility

‍

• In the case of third-party integration development requests.
• In case of typographical, expression, or any other similar errors.
• If the proposal is unrealistic/unlikely to elicit troubleshooting and/or improvements.
• If there is an existing function for the suggestion/report, or if the existing function is already in the process of improvement.
• In case the e-mail received is from a non-existent address or there is no e-mail reply from the user.
• In case of violation of the terms and conditions of this program.

‍

‍

5. Disclosure Policy and Restrictions

‍

• The suggestion/report must be on the topic of information protection and improvement functions related to the use of QueryPie services.
• The suggestion/report must be reasonable.
• Reported information, such as information protection improvement and error correction, cannot be disclosed to any third party without the clear written consent of QueryPie.
• In the case of a third-party integration development request, the request may be rejected or delayed depending on the results of QueryPie’s internal review.

‍

‍

6. Reporting

‍

Please report the Compliance Bounty through this link, and include the following details:

‍

• Target service or domain
• A detailed description of the target function and page(s).
• Grounds for violations of laws and guidelines, etc
• Suggestions for functional modification and feature improvement
• In case the report includes references to a third party, including a description of the references and/or products of the third party is advisable.

When reporting a vulnerability, the participants are deemed to have agreed to 8. Compliance Bounty Program Terms and Conditions mentioned below.

‍

‍

7. Review Period

‍

Once a compliance bounty report is submitted, the QueryPie team goes through its internal screening process and it may require 4 weeks for its review.

In case the team finds one’s reported vulnerability as valid and requires additional days(after 4 weeks) to finalize its review, the team may contact participants and announce its delay.

‍

‍

8. Compliance Bounty Program Terms and Conditions

‍

The detailed terms and conditions can be checked here.

‍

※ For technical vulnerabilities and bugs related to QueryPie services, please use the QueryPie Bug Bounty Program. If a bug bounty case is submitted to the Compliance Bounty Program, processing may be delayed or, in some cases, it may be rejected. For other inquiries, please contact bounty@querypie.com. The QueryPie team does NOT accept inquiries from any other channels.