Quantopian

target_in_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
*.dynoquant.com URL high high high critical
We host internal and middleware servers on the domain "dynoquant.com". We accept reports about these servers just as we accept reports about our front-end application (i.e., www.quantopian.com). When testing these servers for vulnerabilities, please be cognizant of the fact that they are production servers and avoid testing which could negatively impact their normal operations. Please do not submit reports about DMARC, DKIM, or SPF on this domain.
*.quantshack.com URL low low low medium
We host non-production servers in our "quantshack.com" domain, primarily www.quantshack.com. You shouldn't be able to access front-end pages on www.quantshack.com, because it is restricted by an IP whitelist and anyone not on the whitelist should get redirected automatically to www.quantopian.com. If you are able to bypass that whitelist and access any functionality other than an error page, that's certainly a reportable issue. Note that _functionality_ is key; static assets (i.e., JavaScript files style sheets, images, etc.) on www.quantshack.com are not protected by a whitelist, so please do not submit reports about them. We will also accept reports about issues you discover on any other resources you discover in this domain. Please do not submit reports about DMARC, DKIM, or SPF on this domain.
blog.quantopian.com URL medium medium medium critical
### DO NOT SUBMIT: * xmlrpc.php on our blog; we know it's enabled and [we are not going to disable it](https://www.wordfence.com/blog/2015/10/should-you-disable-xml-rpc-on-wordpress/); * attacks requiring a victim's device to be compromised by malware, a rootkit, etc; * security vulnerabilities in third-party components made public within the past 14 days; * issues that you have not actually confirmed are present; or * issues without a clearly defined security impact.
www.quantopian.com URL high high high critical
Hey there! We welcome vulnerabilities on our servers and middleware associated with this asset. **IMPORTANT:** Any account created at www.quantopian.com for security testing should have the string "hackerone" somewhere in the local part of its email address, i.e., the part before the "@". On many email platforms you can achieve this by appending "+hackerone" to the end of your username. There are several reasons for this: * It enables us to distinguish security testing from real site usage in our site analytics. * It enables us to automatically provide hackers with early access to new features that aren't ready to roll out to our entire user base yet, so that you can test them. * It allows us to make the site behave slightly differently for security testers to minimize the impact of security testing on the rest of our user base. Furthermore, if your testing involves posting new threads or comments in our forums, then please put the string "qsectest" somewhere in the body of each of your test postings so that we can detect that they are test posts and not email them to our members. ### DO NOT SUBMIT: * DMARC, DKIM, or SPF; * CSRF unless your proof-of-concept is successful when you've removed the CSRF token from both the cookie _and_ the hidden form field in the submission; * attacks requiring physical access to a member's or employee's device; * attacks requiring a member's or employee's device to be compromised by malware, a rootkit, etc; * third-party platforms and services hosting our resources or employed by them; * social engineering; * security vulnerabilities in third-party components made public within the past 14 days; * issues that you have not actually confirmed are present on our site; or * issues without a clearly defined security impact.

target_out_of_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
status.quantopian.com URL none