QueryPie Community Edition is live 🎉 Get it now for free Download today!

Free Download

Terms of Bounty Program

QueryPie Inc. (hereinafter referred to as the "Company") operates the QueryPie Bug Bounty Program (hereinafter referred to as the "Program"), which offers rewards for the responsible disclosure of vulnerabilities found in Company services. By participating in this Program and submitting a vulnerability report, participants are deemed to have agreed to the following terms.

Article 1 (Purpose)

The purpose of this Program is to identify, correct, and improve security vulnerabilities and bugs in the Company's services at an early stage, thereby ensuring a safer and more secure experience for users (hereinafter referred to as "Users").

Article 2 (Eligibility for Participation, Method of Participation, etc.)

  1. To participate in this Program, a participant (the "Participant") must meet the following requirements:
  • Must be able to communicate in either Korean or English.
  • Must not reside in any region subject to economic sanctions at the time the reward is issued.
  1. All reports must be submitted via the web page designated by the Company.
  2. Any costs incurred for participation are the responsibility of the Participant.
  3. All communication related to this Program must be conducted via email.

Article 3 (Scope of Application)

The Program is limited to security vulnerabilities and bugs identified in the following QueryPie services and products:

  • QueryPie Access Control Products:
    • DAC (Database Access Control)
    • SAC (Server Access Control)
    • KAC (Kubernetes Access Control)
    • WAC (Web Access Control)

⚠️ Vulnerabilities found on other websites or systems, including the official QueryPie homepage, are excluded from the scope of this Program and are not eligible for rewards.

Article 4 (Program Duration)

  1. The Program operates on a continuous basis. However, the Company may terminate the Program at any time without prior notice.
  2. Reports submitted in accordance with the designated process will be reviewed internally by the Bug Bounty team and may take up to 4 weeks for evaluation. The Company may notify the Participant if additional time is needed.
  3. Reports submitted prior to termination of the Program shall still be reviewed and responded to according to the process outlined above.

Article 5 (Submission of Reports)

All bug bounty reports must be submitted through this form.

⚠️ Only submissions through the designated forms are eligible for a reward. Reports submitted through any other means will not be reviewed or considered. ⚠️ Submitting a report through the designated forms constitutes agreement to these Terms and Conditions.

Article 6 (Evaluation and Reward)

  1. The Company will evaluate reward eligibility and amounts based on the severity, impact, and novelty of the reported vulnerability, in accordance with the QueryPie Bounty Reward Criteria developed based on publicly recognized standards such as CVSS. While final decisions remain at the Company's discretion, these criteria are intended to ensure transparency and consistency in reward assessments.

  2. Reports will not be rewarded in the following cases:

    • Account/email enumeration via brute-force
    • Publicly known vulnerabilities or submissions based solely on CVE-based automated tools
    • Physical attacks or social engineering
    • Denial-of-Service (DoS/DDoS) attacks
    • XSS via HTTP Host headers
    • Missing security headers (e.g., X-Frame-Options, Content-Security-Policy)
    • URL tampering via error pages or false positives
    • Reports concerning systems not part of the Company's services
    • Scanning or destructive/invasive testing of internal systems
    • Logs/screenshots that do not clearly demonstrate sensitive data leakage
    • Unreproducible or incomplete vulnerabilities
    • Reports violating the Terms or based on unethical testing practices
    • Known but unpatched zero-day vulnerabilities
    • Clickjacking or UI redressing
    • Cookies lacking Secure or HttpOnly flags
    • Self-XSS (triggered only by the reporter's own input)
    • Exposure of server version/stack (e.g., Server:, X-Powered-By)
    • Browser autocomplete or saved credentials warnings
    • Minor configuration issues with CSP or other security headers
    • Cosmetic UI issues with no security impact
    • Duplicates or issues already known to the Company
    • Issues that only affect unsupported browsers or platforms
    • Scenarios requiring unrealistic user interaction
    • Message flooding or bulletin board spam
    • Identical vulnerabilities reported across multiple locations (counted as one)
    • Multiple reporters for the same issue (only the first valid submission is eligible)

  3. If a report is deemed eligible for a reward, the Company will request the necessary information from the Participant via the email provided during submission. If the Participant fails to provide accurate information within 30 days, the reward entitlement will be forfeited.

  4. If a reward cannot be delivered due to mismatched or incorrect information provided by the Participant, the Company shall be deemed to have fulfilled its reward obligation.

  5. If the Participant violates these Terms, the Company reserves the right to withhold or reclaim the reward.

Article 7 (Prohibited Activities)

  1. Participants shall not:

    • Infringe on the rights of others or violate any applicable laws.
    • Use automated tools to scan the services.
    • Launch Denial-of-Service (DoS) attacks against the services.
    • Conduct physical attacks against Company assets or data centers.
    • Exploit vulnerabilities to view, delete, alter, or disclose user data.
    • Use discovered vulnerabilities to access, alter, or disclose source code.
    • Engage in any behavior contrary to the purpose or intent of the Program.

⚠️ Violation of the above may result in disqualification from the Program.

Article 8 (Rights)

  1. Any inventions, designs, or creative works developed by the Participant during vulnerability testing or reporting may be used by the Company for internal security improvement purposes. Copyrights and intellectual property rights shall remain with the Participant unless otherwise agreed upon in writing or a reward is granted.
  2. The Participant understands and agrees that the Company may independently develop materials that are similar or identical to the Participant's submission, and waives any claims resulting from such similarity.

Article 9 (Confidentiality)

Participants must treat all information acquired through vulnerability discovery (including exploitation methods) as confidential and must not disclose, share, or publish such information without the Company's explicit written consent; any requests for public disclosure will be reviewed at the Company's discretion.

Article 10 (Personal Data)

  1. The Company will protect personal information in accordance with applicable laws, including the Personal Information Protection Act.

  2. By submitting personal data, the Participant is deemed to have consented to its use for Program administration.

    • Email address
    • Name
    • Company affiliation

  3. The Company may use personal information for reward processing and administrative tasks related to the Program.

  4. The Company will retain personal data for up to 3 years from the date of the final submission, or as required by law.

Article 11 (Liability and Disputes)

  1. Participants join the Program at their own risk. The Company shall not be liable for any damages incurred by Participants, except in cases of gross negligence or willful misconduct by the Company.
  2. The Company shall not be involved in disputes between Participants or between a Participant and a third party. All related responsibilities and costs shall be borne by the Participant.

Article 12 (Modification of Terms)

  1. The Company may revise these Terms to the extent permitted by law.
  2. If amended, the revised Terms will be announced in advance with an effective date.
  3. Unless explicitly rejected by the Participant, continued participation constitutes acceptance of the revised Terms.
  4. Reports submitted after the effective date of amended Terms shall be deemed subject to those Terms.
  5. Participants who do not agree to the revised Terms may no longer participate in the Program.

Article 13 (Governing Law and Jurisdiction)

  1. All legal matters between the Company and the Participant shall be governed by the laws of the Republic of Korea.
  2. Jurisdiction shall be determined in accordance with the Korean Civil Procedure Act.
  3. If the Participant resides outside Korea, any dispute shall be exclusively submitted to the Seoul Central District Court.

Article 14 (Program Inquiries)

All inquiries related to this Program must be directed to . Inquiries through any other channels will not be acknowledged or responded to.

Last Updated: July 7, 2025

Download QueryPie Free !

Join our community today and start your journey with QueryPie Community Version at no cost.

Free Download