avatar
Bug bounty
Public

Sogexia

Sogexia is the first French fintech acting as innovative payment services operator and manages at international scale a wide range of innovative banking solutions: payment accounts, physical and virtual cards, mobile payment and additional services.

Reward

Bounty
Hall of fame
€100
Low
€100
Medium
€400
High
€1,000
Critical
€2,000

Program

Avg reward
-
Max reward
-
Scopes
3

Supported languages
English
French

Hacktivity

Reports
185
1st response
< 3 days
Reports last 24h
1
Reports last week
1
Reports this month
3

Last Update: 2023-07-26 - Detailed consumer / business accounts features

Introducing Sogexia

Sogexia is the first French fintech acting as innovative payment services operator and manages at international scale a wide range of innovative banking solutions: payment accounts, physical and virtual cards, mobile payment and additional services. Controlled by the ACPR, Sogexia offers its services to consumers, public institutions and businesses from all sectors.

In concrete terms, we provide our customers with an online bank account they can provision with bank transfers or online payments. This account entitles physical debit cards ownership. Cards can be used in the whole MasterCard network as long as account holds necessary funds.

There are two permission levels:

  • standard level, available right after account creation
  • upgraded level, available after customer's identity is verified

Upgraded level grants extended usage limits and additional services (bank transfers, ...).

What we'll reward

This program is targeted at our public account management web application https://my.sogexia.com and the related mobile applications (iOS and Android) only.

Rewards will be valued at our discretion according to our own severity evaluation, we especially value vulnerabilities that could be exploited to:

  • trigger funds movement beyond our system's restrictions
  • perform a significant action on behalf of another user
  • gain free access to a normally paid service
  • perform an unauthorised operation without an upgraded account
  • access to users personal data

Reports must include a detailed realistic attack scenario. We ask you to explain as clearly as you can what an attacker can actually do using the vulnerability you've discovered. We're not interested in customers injecting javascript alerts but a scenario in which a stored XSS allows an attacker to harvest sensitive data from our customers will be rewarded.

What we won't reward

All other web apps, including our corporate site www.sogexia.com, our customer support platform support.sogexia.com and cashback services www.sogexiaclub.com are out of scope. If you find a vulnerability on thoses sites, it won't be rewarded (except of course if it allows an actual security breach impacting my.sogexia.com)

Mobile vulnerabilities will only be accepted if they target the latest application version on a recent - not jailbroken - OS version (Android >= 8, iOS >= 11).

We don't plan to pay rewards for finding bugs not directly related to security (500 errors, incorrect display, usability flaws) but feel free to tell us anyway if you find any :-)

We already know about a few vulnerabilities we don't intend to fix (listed in unqualifying vulnerabilities). Reporting them won't be rewarded unless they give way to another actual vulnerability.

It's also possible that we've already identified but not yet fixed an issue, you won't be rewarded either in this case.

We'll only reward the first person to report a vulnerability, if you come next (unless with a different exploitation proof of concept) you won't be rewarded.

Responsibility charter

By participating to this program, you agree:

  • not to target a real customer, whether it be physically or virtually and to only use your own test accounts to reach your goals
  • not to impact other customers with your testing
  • not to disclose any vulnerability you may discover until we fix it
  • to give back funds you may have extracted exploiting a vulnerability
  • not to alter data except for what you input yourself
  • not to disclose data you may have extracted from our system
  • to only extract the bare minimum of data needed to prove your point
  • not to edit our system (neither code nor infrastructure)
  • not to leave a backdoor after you've proved your point
  • not to put the system out of service (using DDoS or exploiting a vulnerability)
  • not to put the system under heavy load: refrain from using scanners or don't go beyond 2 requests per second

You can't participate in this program if you're a former or current Sogexia employee or contractor.

Any failure to comply with this charter could be sanctioned with legal actions.

Our commitments

  • We'll review your reports as soon as possible and will keep you updated throughout the whole process
  • We'll do our best to fix reported vulnerabilities in a timely manner
  • Should we decline a report, we'll explain why
  • You'll be free to publicly disclose your discovery as soon as we tell you we fixed it (or don't intend to fix it)
  • Obviously, funds you have legitimately provisioned your test accounts with are your property and we'll transfer it back to you if you ask so.

Enrollment

We invite you to create an account on https://www.sogexia.com/ouvrir-un-compte and to email us your account username at bugbounty@sogexia.com, so we can provide you with a discount voucher.

Please note that the below limitations apply:

European residency required

Please note that we can only accept customers with a valid European Economic Area address. Since participating in this program starts with creating a customer account, if you can't create an account using your real address, we won't be authorized to verify your identity and upgrade your account.

Identity verification

We're legally bound to verify our upgraded customers identity and will require actual documents according to the type of account you're opening.

Consumer accounts

You'll have to provide actual identification documents and proof of address to upgrade your account.
You may use a screenshot of your YesWeHack profile (making sure the YesWeHack logo is clearly visible) as proof of income.

Business accounts

You'll have to provide an actual company's certificate of incorporation and articles of association as well as identity documents and proof of address for yourself and any other main associates.

Free debit card

When participating in the program, send us an email at bugbounty@sogexia.com, we'll provide you a discount voucher so that you can order and receive a free physical debit card. This will give you access to additional features.

Features list

A few features are only available to our business customers, additionally there are several features that are not implemented in the same way for our consumer and business accounts so may find a vulnerability that only affects one kind of account.

General Features

Feature Consumer Business Notes
Identity verification x x Business accounts are required to provide documents for several entities
Transaction history x x
User preferences x x
Phone number update x x
Email address update x x
postal address update x x

Transfers

Feature Consumer Business Notes
Add transfer beneficiary x x
Emit a single Transfer x x
Emit several grouped transfers x x
Emit an instant transfer x x Limited to other Sogexia accounts for now
Transfers history x x
View Personal IBAN x x
Require a secondary French IBAN x x

Debit cards

Feature Consumer Business Notes
Order a debit card x x Two types of card exist
Activate a debit card x x
Lock/Unlock a debit card x x
Retreive debit card PIN x x
Unlock debit card PIN x x After several failed physical attempts

Credit card deposits

Feature Consumer Business Notes
Register a loading credit card x
Credit card deposit x x Consumer accounts must use a previously registered card

Cash deposits

Feature Consumer Business Notes
Retreive personal barcode x x

Direct Debits

Feature Consumer Business Notes
Direct Debits list x x
Provide B2B mandate x Business accounts can use the core SEPA scheme as well as the B2B scheme
Revoke core mandate x x
Revoke B2B mandate x
Reject Direct Debit x x Business accounts can only reject debits that are part of the core scheme

Changelog

2020-07-10 - Added mobile applications to program scope
2023-02-23 - Reward amounts raised
2023-02-23 - New SEPA direct debit feature
2023-02-23 - New cash deposit feature
2023-07-23 - New Grouped Transfers feature
2023-07-23 - New postal address update feature
2023-07-23 - Added tracking features in iOS and Android apps
2023-07-23 - Detailed consumer / business accounts features


Reward

Asset value CVSS
Low
CVSS
Medium
CVSS
High
CVSS
Critical
Low
€100€400€1,000€2,000

Scopes

ScopeTypeAsset value
https://my.sogexia.com web-application
Low
Low
€100
Medium
€400
High
€1,000
Critical
€2,000
https://play.google.com/store/apps/details?id=io.gonative.android.xjndrq&hl=fr mobile-application-android
Low
Low
€100
Medium
€400
High
€1,000
Critical
€2,000
itmss://apps.apple.com/us/app/id1510360750?ign-mscache=1 mobile-application-ios
Low
Low
€100
Medium
€400
High
€1,000
Critical
€2,000

Out of scopes

  • all domains not listed in scopes, noteworthy:
  • www.sogexia.com
  • support.sogexia.com
  • www.sogexiaclub.com
  • Social media accounts

Vulnerability types

Qualifying vulnerabilities

  • Remote code execution
  • Code injections
  • Authentication flaws
  • Authorisation flaws / privilege escalation
  • Cross-Site Request Forgery with real security impact
  • Cross-Site Scripting
  • Clickjacking
  • Unciphered HTTP access and mixed content
  • Sensitive data exposure
  • Sensitive Information Exposure Through insecure data storage on mobile device
  • Leaked information from Mobile (without rooting)

Non-qualifying vulnerabilities

  • Already known issues
  • Anything we can't reproduce
  • Hypothetical flaw or best practices without exploitable POC and concrete attack scenario
  • Untechnical attacks (phishing, social engineered or physical assault)
  • Issues that require physical access to a victim's device
  • Denial of service attacks
  • Any third party provider's software vulnerabilities including MasterCard network
  • Vulnerable version of libraries (for example ‘jquery’) without demonstrable attack vector
  • Logout and other instances of low-severity Cross-Site Request Forgery
  • Already known CSRF vulnerability in transaction category management
  • User enumeration through registration form
  • Technical information disclosure
  • Missing security-related HTTP headers which do not lead directly to a vulnerability
  • Self XSS unless stored
  • Password and account recovery policies, such as reset link expiration or password complexity
  • Email configuration
  • Exploits that are only possible on Android version 7 and below
  • Exploits that are only possible on IOS version 10 and below
  • Exploits that are only possible on a jailbroken device
  • Lack of code obfuscation
  • Lack of binary protection / jailbreak and root detection / anti-debugging controls
  • Crashing your own application
  • SSL cypher suites
  • SSL Pinning

Hunting requirements

Account access

You can create a customer account online but note we're legally bound to only accept European Economic Area residents.


Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.

To submit a vulnerability report, you need to login with your hunter account.