Vulnerability Disclosure Policy

QCL QUAD CODE CY LTD, is a software development company registered in the Republic of Cyprus with company registration number HE391725 and having its registered office at 106 Gladstonos street, Gladstonos Business Center, Ground Floor, Office 3, Section C6. 3032 Limassol, Cyprus, together with its affiliated entities (Quadcode). Quadcode provides software services and in particular a trading platform offering comprehensive brokerage solutions to trading entities (Software). Quadcode is committed to protecting the privacy and security of users of its software tools. This Vulnerability Disclosure Program (Program) welcomes investigative work into security in-scope Vulnerabilities (as defined below) carried out by well-intentioned and ethical security researchers who discover in good faith Software in-scope Vulnerabilities in the Software, subject to the terms and conditions herein contained. Participants acting in accordance with the terms and conditions of these Terms and will be rewarded with a Benefit (as defined below) in exchange for their findings.

PROGRAM TERMS

1. ACCEPTANCE OF TERMS AND OTHER

1.1 Your participation in the Program is voluntary and subject to the terms and conditions herein contained (Terms).


1.2 By submitting a Submission (as defined below) for a vulnerability to Quadcode, you acknowledge that you have read and agreed to these Terms.

1.3 These Terms are additional and supplementary to any other agreement in which you have entered with any of the entities whose trading platform is operated by the Software (“Agreements”).

1.4 The terms of the Agreements will at all times apply to your use of the services under the Agreements and are autonomous and independent from the Terms of this Program.  If there is any inconsistency between the terms of the Agreements and these Terms, the Terms will override solely in relation to the Program.

1.5 In an effort to encourage you in making responsible Submissions and Submissions made in good faith, Quadcode commits that, if, upon our sole discretion, we decide that a submission made by you has been made in accordance with the guidelines of these Terms, Quadcode will not bring a private action against you or refer a matter for public inquiry.

1.6 IMPORTANT: as part of your research, you are not allowed to modify any files or data, including permissions, and you are not allowed intentionally to view or access any data which is not required for your research.

2. ELIGIBILITY REQUIREMENTS AND YOUR COVENANTS

2.1 Eligibility Requirements: In order for you to be eligible to participate in this Program and by extension, to receive a Benefit, YOU MUST NOT:

  1. be employed by Quadcode, its subsidiaries or its affiliates entities, or an employee and/or service provider of any of the entities operated by the Software

  2. be an immediate family member of a person employed and/or providing services to Quadcode, its subsidiaries or its affiliates, or of any of the entities operated by the Software,

  3. be a minor, in accordance with the country in which you are a resident. Usually this is over 18 years of age. If you are considered a minor in the country you are a resident, then you must get your parents’ or legal guardian’s permission before participating in the Program, and make any Submissions in relation to Vulnerabilities that are not original, have been previously reported, and already discovered by internal procedures,

Subject to the above, if it comes to the knowledge of Quadcode or Quadcode has reasonable grounds to believe that you meet any of the above requirements, you will be removed from the Program, you will be disqualified and will not receive any Benefit.

2.2 Covenants: By the accepting the Terms you confirm, acknowledge, agree and covenant to Quadcode that you shall not, or assist any other party, to:

  1. without the prior written approval of Quadcode, disclose in any way, either to the public (including via: websites, social networks, forums, blogs, online magazines, and similar) or any other third person/entity, the content of your Submission, any findings of your research for a potential Submission or for an actual Submission (collectively the “Content”),

(b) use in any way the Content for any other purpose other for the purposes described herein and to make a Submission,

(c) modify any files or data, including permissions, and you are not allowed intentionally to view or access any data which is not required for your research,

(d) interact with, access, use or modify in any way  any trading accounts of the Software users (real or demo) or their data,

(e) interrupt or disturb the operation of the Software or the provision of the services by Quadcode, in any way, and

(f) violate any other applicable laws and/or regulations and/or or any existing regulatory documents, including those of QuadcCode.

2.3 Without prejudice to Quadcode’s rights and/or without limiting any other remedies available to Quadcode under applicable laws, if it comes to the knowledge of Quadcode or Quadcode has reasonable grounds to believe that you meet any of the above requirements, you will be removed from the Program, you will be disqualified and will not receive any Benefit.

3. SOFTWARE SCOPE

3.1 Only the  entities operated by  the Software are in scope, in particular:

(a) Web applications:
  *.iqoption.com

  *eu.iqoption.com
  *quadcodemarkets.com

  *quadcodemarkets.com.au

  *trade.quadcodemarkets.com

(b) Desktop applications of the above;

(c) Mobile application:
      IQOPTION iOS Application

Quadcode Markets iOS Application

Quadcode Markets Android Application

Quadcode Markets Desktop Application

 

3.2 Any software or acquisitions not listed above are not in-scope, including without limitation to the following:

(a) my.iqoption.com

(b) cpa.iqopption.com

(c) blog.iqoption.com

(d) blog. quadcodemarkets.com

4. RESPONSE TIME

Quadcode shall make best efforts to respond within the following time intervals to Submissions:

 

QUADCODE TYPE OF RESPONSE

RESPONSE TIME (in business days)

First Response

3

Time to Assess Submission Response

7 following First Response

Time to pay Benefit following Assessment of Submission

up to 30 from Assessment Response (subject to paragraph 8.4)

Time to Resolution

Depends on severity and complexity

 

5. SCOPE FOR QUADCODE WEB APPLICATION

5.1In-scope vulnerabilities:

(a) Injections

(b) Broken Authentication

(c) Sensitive Data Exposure

(d) XML External Entities

(e) Broken Access Control

(f) Security Misconfiguration with a demonstration of how to exploit it

(g) Cross-Site Scripting

(h) Insecure Deserialization

 

5.2 Out-of-Scope vulnerabilities:

The following shall be considered as out of scope vulnerabilities for the web application:

  1. Social engineering (including phishing) of any employee,  contractors andor  client of Quadcode and/or of the entities operated by the Software;

  2. Messages from security scanners and other automated systems;

  3. Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS;

  4. Weak password policies;

  5. Mail configuration issues including SPF, DKIM, DMARC settings;

  6. Host header injection without exploitation;

  7. DNSSEC configuration;

  8. Clickjacking;

  9. Unauthenticated/logout/login/signup, enable/disable notification CSRF;

  10. Previously known vulnerable libraries without a working Proof of Concept;

  11. Missing best practices in SSL/TLS configuration;

  12. Missing best practices in HTTP headers configuration without a working Proof of Concept;

    1. Strict-Transport-Security

    2. X-Frame-Options

    3. X-XSS-Protection

    4. X-Content-Type-Options

    5. Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP

    6. Content-Security-Policy-Report-Only

  13. Network disruption of service (DoS) attacks (i.e. connection floods, HTTP GET floods, etc);

  14. Path disclosure;

  15. Reports about the absence of a protection mechanism or non-compliance with recommendations;

  16. CSP (content security policy);

  17. SSL Issues, e.g.

    1. SSL Attacks such as BEAST, BREACH, Renegotiation attack

    2. SSL Forward secrecy not enabled

    3. SSL weak / insecure cipher suites

  18. CSRF on forms that are available to anonymous users (e.g. the contact form);

  19. Logout Cross-Site Request Forgery (logout CSRF);

  20. Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality;

  21. Lack of Secure/HTTPOnly flags on non-sensitive cookies;

  22. Lack of Security Speedbump when leaving the site;

  23. Weak Captcha / Captcha Bypass;

  24. Forgot Password page brute force and account lockout not enforced;

  25. OPTIONS HTTP method enabled; 

  26. CORS;

  27. Username / email enumeration: 

    1. via Login Page error message

    2. via Forgot Password error message

6. SCOPE OF MOBILE APPLICATION

6.1 In-scope Vulnerabilities.
In addition to in-scope vulnerabilities stated above, the following will also be considered as in-scope vulnerabilities for the mobile application, which shall include:

(a) Insecure Data Storage;

(b) Insecure Communication;

(c) Insecure Authentication; and

(d) Insecure Authorisation.

 

6.2 Out-of-Scope Vulnerabilities.
The following shall be considered as out of scope vulnerabilities for mobile applications:

  1. Social engineering (including phishing) of any employee,  contractors andor  client of Quadcode and/or of the entities operated by the Software;

  2. Missing best practices in SSL/TLS configuration;

(c) Missing best practices in HTTP headers configuration without a working Proof of Concept;

(d) Reports about the absence of a protection mechanism or non-compliance with recommendations.

 

6.2.1 for Android apps

  • Shared links leaked through the system clipboard.

  • Any URIs leaked because a malicious app has permission to view URIs opened

  • Absence of certificate pinning

  • Sensitive data in URLs/request bodies when protected by TLS

  • User data stored unencrypted on external storage

  • Lack of obfuscation is out of scope

  • oauth "app secret" hard-coded/recoverable in apk

  • Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)

  • Any kind of sensitive data stored in app private directory

  • Lack of binary protection control in android app
     

6.2.2 for iOS apps

  • Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries

  • Absence of certificate pinning

  • Path disclosure in the binary

  • User data stored unencrypted on the file system

  • Lack of obfuscation is out of scope

  • Lack of jailbreak detection is out of scope

  • oauth "app secret" hard-coded/recoverable 

  • Crashes due to malformed URL Schemes

  • Lack of binary protection (anti-debugging) controls

  • Snapshot/Pasteboard leakage

  • Runtime hacking exploits (exploits only possible in a jailbroken environment)

7. SUBMISSION REQUIREMENTS

7.1 In order to be eligible to receive a Benefit for a submission made under these Terms, your submission should Include a report with all of the following information (Submission). A well-written report will allow us to more quickly and accurately assess your submission: 

(a) Each report must relate to one Vulnerability, unless many vulnerabilities are concerned and therefore need be included in order to accurately describe the impact of that one Vulnerability being reported, but again this will be treated as one Submission for the purposes of a Benefit,
(b) Full description of the Vulnerability being reported, including the exploitability and impact,
(c) Full description of the component of the Software in which the Vulnerability was discovered,
(d) Evidence and explanation of all steps required to reproduce the submission, which may include videos, screenshots, exploit code, traffic logs, web/API requests and responses, email address or user ID of any test accounts, IP address used during testing,
(e) Proposals for the rectification and fix of the Vulnerability being reported,
(f) Full description of any unintentional access taking place during your research/testing, to any confidential information of Quadcode or of any trading accounts (real or demo) of the users of the entities operated by Quadcode, and
(g) Multiple Vulnerabilities caused by one underlying issue will be treated as one Submission for the purposes of a Benefit.

7.2 Submit the above report to security@quadcode.com

 

7.3 Failure to follow all of the above steps and include any of the above items may delay or jeopardize the acceptance of a Submission and/or the payment of a Benefit (if any).

8. BENEFIT PAYMENT

8.1 You shall be eligible to receive a monetary reward (Benefit), if:

  1. You are the first person to submit an in-scope Vulnerability being reported,

  2. That Vulnerability is determined by Quadcode’s security team, to be a valid security issue,

  3. You have complied with all terms and conditions of these Terms, and

  4. You are in compliance with the Terms.
     

8.2 Benefits, if any, shall be determined in the sole discretion of Quadcode and in no event shall Quadcode be under any obligation to pay you a Benefit for any Submission. All Benefit payments shall be considered gratuitous.

8.3 Quadcode shall determine the amount of any Benefit, based on the risk and impact of the Vulnerability reported. The minimum Benefit for a validated Submission, shall be USD200 and the maximum USD2000.

8.4 The only payment method acceptable for the payment of any Benefits hereunder shall be via bank wire transfer to your bank account. In order to be able to process any Benefit payments, you will be required to provide us upon request a valid Account and IBAN number into which the Benefit shall be paid and any other information we may consider necessary. Payment of the Benefit into the Bank Account, shall constitute full and unequivocal satisfaction of any obligations we may have against you in reference to a Benefit (if any).

8.5 All Benefits will be made in USD in accordance with the Response Time, and you will be responsible for any tax implications or other implications related to the payment of the Benefit to you.

8.6 Quadcode retains the right to determine upon its sole discretion, whether a Vulnerability submitted under this Program is eligible. All determinations as to the amount of the Benefit made by Quadcode, are final and shall not be challenged by you. Benefit calculations are made on the basis and shall range in accordance with, the classification and sensitivity of the data impacted, ease of exploit and overall risk to Quadcode’s clients, Quadcode brand and determined to be a valid security issue by Quadcode’s security engineers/team.

9. OWNERSHIP OF SUBMISSION (LICENSE)

9.1 As a condition for your participation in the Quadcode Program, you hereby grant Quadcode, its subsidiaries, affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferrable, sublicensable (through multiple tiers) and exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Quadcode in connection therewith, for any purpose (License).

9.2 You should not make any Submissions with us, you do not wish to License to us as described above.

9.3 In addition to your covenant indicated above, you further represent and warrant to Quadcode that any Submission made by you is original, developed by you, you own all right, title and interest in and to any such Submission.

9.4 Waiver: by Accepting the Terms and making a Submission, you hereby irrevocably waive all claims, current or future, of any nature, including express or implied, in contract or otherwise, arising out of any disclosure of the Submission to Quadcode and/or any right attaching to any Submission.

9.5 In no event shall Quadcode be restricted and/or prohibited from discussing, developing itself, having developed, or developing for third parties, materials which are competitive with those set forth in any Submission irrespective of their similarity to the information in the Submission, so long as Quadcode complies with the terms of participation stated in these Terms.

10. TERMINATION

In the event where (a) you breach any of these Program Terms or where (b) Quadcode determines, in its sole discretion that your continued participation in the Program could adversely impact Quadcode (including, but not limited to, presenting any threat to Quad Code’s systems, security, finances and/or reputation), Quadcode may immediately terminate your participation in the Program and disqualify you from receiving any Benefit.

11. CONFIDENTIALITY

11.1 The Quadcode takes security and data protection very seriously. We strive to create the most secure infrastructure of any broker in the world  and protecting our clients is our highest priority. Any information you receive or collect about Quadcode or any Quadcode user through the Program (Confidential Information) must be kept confidential and only used in connection with the Program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the Software, without Quadcode’s prior written consent.

11.2 The participant to this Program hereby acknowledges, agrees and undertakes: 

  1. that any Confidential Information must be kept confidential and only used in connection with the Program. The participant may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the Software, without Quadcode’s prior written consent. 

  2. to protect such Confidential Information with at least the same degree of care that the participant uses to protect its own Confidential Information, but in no case, less than reasonable care,

  3. use the disclosing party’s Confidential Information for no purpose other than the use permitted by the disclosing party; and 

  4. immediately notify disclosing party upon discovery of any loss or unauthorized disclosure of disclosing party’s Confidential Information

11.3 At the request of the Quadcode the participant shall:

  1. destroy or return to all documents and materials (and any copies) containing, reflecting, incorporating or based on the other the Confidential Information,

  2. erase all the Confidential Information from computer and communications systems and devices used by it, including such systems and data storage services provided by third parties (to the extent technically and legally practicable), and

  3. certify in writing to Quadcode that it has complied with the requirements of this clause.

11.4 Provided that the participant shall not use the Confidential Information for any purpose other than to exercise its rights and perform its obligations under or in connection with these Terms.

12. INDEMNITY

In addition to any indemnification obligations you may have under the Agreements, you agree to at all times defend, indemnify and hold Quadcode, its subsidiaries, affiliates, officers, directors, agents, joint ventures, employees and suppliers, harmless from any claim or demand (including attorneys’ fees) made or incurred by any third party due to or arising out of your Submissions, your breach of these Terms and/or your improper use of the Program.

13. LIMITATION OF LIABILITY

If you have any basis of recovering damages in connection with this Program (including breach of these Terms), you agree that your exclusive remedy is to recover, from the Quadcode or any subsidiaries, affiliates, resellers, distributors, third- party providers and vendors direct damages up to $100,00 (hundred USD). You cannot recover any other damages or losses, including direct, consequential, lost profits, special, indirect, incidental or punitive. These limitations and exclusions apply even if this remedy does not fully compensate you for any losses or fails of its essential purpose or if we knew or should have known about the possibility of the damages. To the maximum extent permitted by law, these limitations and exclusions apply to anything or any claims related to these Terms and the Program. 

14. APPLICABLE LAW AND JURISDICTION

The Terms and all transactional relations between the participant and Quadcode  shall be governed by and construed in accordance with the laws of the Republic of Cyprus and the parties agree that all disputes shall be finally settled in the courts of the Republic of Cyprus.

15.  LEGAL – CHANGE OF PROGRAM TERMS

The Program, including its policies, is subject to change or cancellation by Quadcode at any time, without notice. Quadcode may amend these Terms and/or its policies at any time by posting a revised version on our website. By continuing to participate in the Program after Quadcode posts any such changes, you accept the Program Terms, as modified.

QUADCODE RESERVES ALL OF ITS LEGAL RIGHTS AND REMEDIES