Bounty Program

Shortcut

• Bug Bounty Program Registration Link
• Bug Bounty Program Terms and Conditions Link
• Bug Bounty Program Hall of Fame 🏆

Bug Bounty Program

1. Program Introduction

The QueryPie Vulnerability Bounty Program is established to identify security weaknesses in QueryPie services and to deliver safer, more secure services to our customers.

The goal of this program is to promptly discover and patch vulnerabilities and provide appropriate rewards to participants who report Valid and impactful security issues.

2. Scope

The Bug Bounty Program applies to security vulnerabilities and bugs identified in the following QueryPie services and products:

• QueryPie Access Control Products:
  • DAC (Database Access Control)
  • SAC (Server Access Control)
  • KAC (Kubernetes Access Control)
  • WAC (Web Access Control)

⚠️ This program applies exclusively to the listed services; any vulnerabilities found in other systems, including the official QueryPie homepage, are excluded from eligibility.

3. Rewards and Bounties

• Submissions must be made through the reporting method described in Section 6. Submissions via other channels will not be reviewed.
• Only the first report of an unpublished vulnerability will be considered for a bounty.
• Rewards are determined based on the severity and impact of the vulnerability, and final decisions regarding bounty amount and eligibility are at the sole discretion of the Company.
• Submissions that violate the Program Terms of Use may be denied.

4. Conditions for Reward Ineligibility

Reports will be ineligible if they fall under the following:

• Account/email enumeration via brute-force attacks
• Publicly known vulnerabilities or results generated solely by CVE-based automated tools
• Physical attacks or social engineering attempts
• Denial-of-Service (DoS/DDoS) attacks
• XSS via HTTP Host headers
• Missing security headers (e.g., X-Frame-Options, Content-Security-Policy)
• URL tampering via error pages or false-positive style alerts
• Reports related to domains/systems not part of QueryPie
• Scanning or destructive testing against internal systems
• Logs/screenshots not clearly indicating sensitive data leakage
• Incomplete or unreproducible vulnerabilities
• Breach of terms or unethical testing
• Known zero-day vulnerabilities that remain unpatched
• Clickjacking or UI redressing
• Cookies lacking Secure or HttpOnly flags
• "Self-XSS" (only triggered via the attacker's own input)
• Exposure of application version or stack (e.g., Server:, X-Powered-By)
• Autofill or credential warnings via browsers
• Minor security header misconfigurations (e.g., weak CSP)
• Cosmetic UI issues with no security impact
• Duplicate reports or vulnerabilities already known to the company
• Issues affecting only deprecated browsers or platforms
• Vulnerabilities based on unrealistic user interaction assumptions
• Spam or content flooding using bulk posts/messages
• Same vulnerability reported across multiple locations (counted as one)
• Multiple participants reporting the same issue (only first valid report is accepted)

5. Disclosure Policy & Restrictions

• Disclosure or sharing of any vulnerability information with third parties without the company's written consent is strictly prohibited.
  • Researchers may, however, request public disclosure of resolved vulnerabilities, subject to Company approval.
• Using the discovered vulnerabilities to damage, alter, or affect the service is forbidden.
• If a participant encounters personally identifiable information (such as system access, accounts, user data), they must immediately stop testing. Processing, storing, transmitting, or accessing such data is strictly prohibited.
• Testing of third-party applications or services linked to QueryPie is not allowed.

6. How to Report

All bug bounty reports must be submitted through this form.

⚠️ Only submissions through the designated forms are eligible for a reward. Reports submitted through any other means will not be reviewed or considered.

Please include the following details in your report:

• Name of the discovered vulnerability
• Steps to reproduce or how the issue was discovered
• Reproduction code or screenshots
• Affected service, feature, or domain
• Explanation of how the issue can pose a security threat

7. Review Period

Each submission will be reviewed through QueryPie's internal evaluation process.

Please note that it may take a minimum of 2 weeks to receive a response after your submission has been reviewed. We appreciate your patience during the evaluation process.

If additional time is required, the team will contact the participant to inform them of the delay.

8. Bug Bounty Program Terms of Use

For full details, please refer to the official Terms of Use.

Contact

For inquiries, please contact bounty@querypie.com.

The QueryPie team does not accept inquiries via any other channels.