Moneybox Bug Bounty
Save and invest for your future. We offer cash savings products and long term investment products. As with all investing, your capital is at risk.
Reward
Program
Avg reward -
Max reward €2,000
Scopes6
Supported languagesEnglish
Hacktivity
Reports53
1st response < 1 day
Reports last 24h-
Reports last week1
Reports this month3
Program description
Program activity
Company
Moneybox helps more than 600,000 customers save and invest for their future. We offer cash savings products and long term investment products. As with all investing, your capital is at risk.
Program Rules
- We believe that no technology is perfect and that working with skilled security researchers is crucial in identifying weaknesses in our technology.
- If you believe you've found a security bug in our service, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.
- Any type of denial of service attacks is strictly forbidden, as well as any interference with network equipment and Moneybox infrastructure.
Eligibility and Responsible Disclosure
- We are happy to thank everyone who submits valid reports which help us improve the security of Moneybox however, only those that meet the following eligibility requirements may receive a monetary reward:
- You must be the first reporter of a vulnerability.
- The vulnerability must be a qualifying vulnerability
- Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through yeswehack.com
- You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
- You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about requests per second).
- You must not leak, manipulate, or destroy any user data.
- You must not be a former or current employee of Moneybox or one of its contractors.
- Reports about vulnerabilities are examined by our security analysts.
- Our analysis is based on worst case exploitation of the vulnerability, as is the reward we pay.
- No vulnerability disclosure, including partial is allowed for the moment.
Reward
Asset value | CVSS | CVSS | CVSS | CVSS |
---|---|---|---|---|
€50 | €500 | €1,000 | €2,000 | |
€50 | €200 | €500 | €1,000 |
Scopes
Scope | Type | Asset value | Expand rewards grid |
---|---|---|---|
https://api.moneyboxapp.com/ | api | ||
Low Medium High Critical | |||
https://admin.moneyboxapp.org/ | web-application | ||
Low Medium High Critical | |||
https://admin-roundups.moneyboxapp.org/ | web-application | ||
Low Medium High Critical | |||
https://apps.apple.com/gb/app/moneybox-save-and-invest/id1049797239 | mobile-application-ios | ||
Low Medium High Critical | |||
https://play.google.com/store/apps/details?id=com.moneyboxapp | mobile-application-android | ||
Low Medium High Critical | |||
https://sycamore.moneyboxapp.org/ | web-application | ||
Low Medium High Critical |
Out of scopes
- The Moneybox public website https://www.moneyboxapp.com/ and other moneyboxapp.com / moneyboxapp.org domains not listed are out of scope.
- Content served by the Cloudflare Access service (https://moneyboxapp.cloudflareaccess.com/*) is out of scope. These pages intentionally do not set a CORS Allow-Origin policy. We have seen this reported several times as a vulnerability, but it is intended behaviour and is considered out of scope.
- Security concerns originating from https://moneyboxapp.onelogin.com/ are typically considered out of scope. These pages and their content are served by OneLogin, and any issues should be reported to them directly. However, if an exploit explicitly enables bypassing OneLogin to access Moneybox systems or leaking Moneybox sensitive data, it is crucial to raise the concerns to both OneLogin and Moneybox.
Vulnerability types
Qualifying vulnerabilities
- Remote code execution (RCE)
- Broken authentication & session management
- Insecure direct object references
- Horizontal and vertical privilege escalation
- Material vulnerabilities related to unauthorised access to underlying cloud resources via private management URLs (whether Moneybox or Cloud Provider hosted).
- Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
- Code injections (HTML, JS, SQL, PHP, ...)
- Cross-Site Requests Forgery (CSRF) with real security impact
- Open redirect
- CORS with real security impact
- Sensitive Information Exposure Through insecure data storage on device
- Leaked information from Mobile (without rooting)
- Insecure Communication
- Insecure Authentication
- Insecure Authorization
- Insufficient Cryptography
- Hardcoded secrets
Non-qualifying vulnerabilities
- Direct invocation of actions or retrieval of data via the API that the user is legitimately entitled to invoke or retrieve using the Moneybox app is not considered a vulnerability.
- Technical information disclosure - excluded
- "Self" XSS
- Missing cookie flags
- SSL/TLS best practices
- Mixed content warnings
- Denial of Service attacks
- "HTTP Host Header" XSS
- Clickjacking/UI redressing
- Software version disclosure
- Stack traces or path disclosure
- Physical or social engineering attempts
- Recently disclosed 0-day vulnerabilities
- Presence of autocomplete attribute on web forms
- Vulnerabilities affecting outdated browsers or platforms
- Issues that require physical access to a victim’s computer/device
- Logout and other instances of low-severity Cross-Site Request Forgery
- Missing security-related HTTP headers which do not lead directly to a vulnerability
- Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated
- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM/DMARC)
- Vulnerabilities requiring physical access to a user’s smartphone
- Exploits that are only possible on Android versions below 5.0 (Lollipop)
- Exploits that are only possible on IOS versions below 10
- Exploits that are only possible on a jailbroken or rooted device
- Exploiting a generic Android or iOS vulnerability.
- Lack of code obfuscation
- Lack of binary protection / jailbreak and root detection / anti-debugging controls
- Crashing your own application
- Non important secrets (such as 3rd party secrets)
- SSL cypher suites
- Vulnerable version of libraries (for example ‘jquery’) without demonstrable attack vector
- SSL Pinning
Hunting requirements
Account access
- Hunters will be testing in Moneybox’s live production environment.
- Test accounts can be created using the Moneybox App for Android or iOS.
- The Moneybox App is only available via the UK App Stores.
- Test Accounts created in app can be used for testing against the Moneybox API
- Test accounts will not be provided for the private web applications included in scope. For these web applications our main interest is in authentication and session management vulnerabilities.
- Hunters must not use any automated scripts that rapidly submit multiple requests and must limit the number of user accounts sent through registration.
- Hunters should use yeswehack alias email addresses for registration or, alternatively, include the text "yeswehack" in their email address.
User agent
Please append to your user-agent header the following value: ' bugbounty-0421 '.
Hunters collaboration
When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.
For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.