avatar
Bug bounty
Public

Moneybox Bug Bounty

Save and invest for your future. We offer cash savings products and long term investment products. As with all investing, your capital is at risk.

Reward

Bounty
Hall of fame
€50
Low
€50
Medium
€500
High
€1,000
Critical
€2,000

Program

Avg reward
-
Max reward
€2,000
Scopes
6

Supported languages
English

Hacktivity

Reports
53
1st response
< 1 day
Reports last 24h
-
Reports last week
1
Reports this month
3

Company

Moneybox helps more than 600,000 customers save and invest for their future. We offer cash savings products and long term investment products. As with all investing, your capital is at risk.

Program Rules

  • We believe that no technology is perfect and that working with skilled security researchers is crucial in identifying weaknesses in our technology.
  • If you believe you've found a security bug in our service, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.
  • Any type of denial of service attacks is strictly forbidden, as well as any interference with network equipment and Moneybox infrastructure.

Eligibility and Responsible Disclosure

  • We are happy to thank everyone who submits valid reports which help us improve the security of Moneybox however, only those that meet the following eligibility requirements may receive a monetary reward:
  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability
  • Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through yeswehack.com
  • You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
  • You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about requests per second).
  • You must not leak, manipulate, or destroy any user data.
  • You must not be a former or current employee of Moneybox or one of its contractors.
  • Reports about vulnerabilities are examined by our security analysts.
  • Our analysis is based on worst case exploitation of the vulnerability, as is the reward we pay.
  • No vulnerability disclosure, including partial is allowed for the moment.


Reward

Asset value CVSS
Low
CVSS
Medium
CVSS
High
CVSS
Critical
Critical
€50€500€1,000€2,000
High
€50€200€500€1,000

Scopes

ScopeTypeAsset value
https://api.moneyboxapp.com/ api
Critical
Low
€50
Medium
€500
High
€1,000
Critical
€2,000
https://admin.moneyboxapp.org/ web-application
Critical
Low
€50
Medium
€500
High
€1,000
Critical
€2,000
https://admin-roundups.moneyboxapp.org/ web-application
Critical
Low
€50
Medium
€500
High
€1,000
Critical
€2,000
https://apps.apple.com/gb/app/moneybox-save-and-invest/id1049797239 mobile-application-ios
High
Low
€50
Medium
€200
High
€500
Critical
€1,000
https://play.google.com/store/apps/details?id=com.moneyboxapp mobile-application-android
High
Low
€50
Medium
€200
High
€500
Critical
€1,000
https://sycamore.moneyboxapp.org/ web-application
Critical
Low
€50
Medium
€500
High
€1,000
Critical
€2,000

Out of scopes

  • The Moneybox public website https://www.moneyboxapp.com/ and other moneyboxapp.com / moneyboxapp.org domains not listed are out of scope.
  • Content served by the Cloudflare Access service (https://moneyboxapp.cloudflareaccess.com/*) is out of scope. These pages intentionally do not set a CORS Allow-Origin policy. We have seen this reported several times as a vulnerability, but it is intended behaviour and is considered out of scope.
  • Security concerns originating from https://moneyboxapp.onelogin.com/ are typically considered out of scope. These pages and their content are served by OneLogin, and any issues should be reported to them directly. However, if an exploit explicitly enables bypassing OneLogin to access Moneybox systems or leaking Moneybox sensitive data, it is crucial to raise the concerns to both OneLogin and Moneybox.

Vulnerability types

Qualifying vulnerabilities

  • Remote code execution (RCE)
  • Broken authentication & session management
  • Insecure direct object references
  • Horizontal and vertical privilege escalation
  • Material vulnerabilities related to unauthorised access to underlying cloud resources via private management URLs (whether Moneybox or Cloud Provider hosted).
  • Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
  • Code injections (HTML, JS, SQL, PHP, ...)
  • Cross-Site Requests Forgery (CSRF) with real security impact
  • Open redirect
  • CORS with real security impact
  • Sensitive Information Exposure Through insecure data storage on device
  • Leaked information from Mobile (without rooting)
  • Insecure Communication
  • Insecure Authentication
  • Insecure Authorization
  • Insufficient Cryptography
  • Hardcoded secrets

Non-qualifying vulnerabilities

  • Direct invocation of actions or retrieval of data via the API that the user is legitimately entitled to invoke or retrieve using the Moneybox app is not considered a vulnerability.
  • Technical information disclosure - excluded
  • "Self" XSS
  • Missing cookie flags
  • SSL/TLS best practices
  • Mixed content warnings
  • Denial of Service attacks
  • "HTTP Host Header" XSS
  • Clickjacking/UI redressing
  • Software version disclosure
  • Stack traces or path disclosure
  • Physical or social engineering attempts
  • Recently disclosed 0-day vulnerabilities
  • Presence of autocomplete attribute on web forms
  • Vulnerabilities affecting outdated browsers or platforms
  • Issues that require physical access to a victim’s computer/device
  • Logout and other instances of low-severity Cross-Site Request Forgery
  • Missing security-related HTTP headers which do not lead directly to a vulnerability
  • Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated
  • Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM/DMARC)
  • Vulnerabilities requiring physical access to a user’s smartphone
  • Exploits that are only possible on Android versions below 5.0 (Lollipop)
  • Exploits that are only possible on IOS versions below 10
  • Exploits that are only possible on a jailbroken or rooted device
  • Exploiting a generic Android or iOS vulnerability.
  • Lack of code obfuscation
  • Lack of binary protection / jailbreak and root detection / anti-debugging controls
  • Crashing your own application
  • Non important secrets (such as 3rd party secrets)
  • SSL cypher suites
  • Vulnerable version of libraries (for example ‘jquery’) without demonstrable attack vector
  • SSL Pinning

Hunting requirements

Account access

  • Hunters will be testing in Moneybox’s live production environment.
  • Test accounts can be created using the Moneybox App for Android or iOS.
  • The Moneybox App is only available via the UK App Stores.
  • Test Accounts created in app can be used for testing against the Moneybox API
  • Test accounts will not be provided for the private web applications included in scope. For these web applications our main interest is in authentication and session management vulnerabilities.
  • Hunters must not use any automated scripts that rapidly submit multiple requests and must limit the number of user accounts sent through registration.
  • Hunters should use yeswehack alias email addresses for registration or, alternatively, include the text "yeswehack" in their email address.

User agent

Please append to your user-agent header the following value: ' bugbounty-0421 '.


Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.