Sogexia
Sogexia is the first French fintech acting as innovative payment services operator and manages at international scale a wide range of innovative banking solutions: payment accounts, physical and virtual cards, mobile payment and additional services.
Reward
Program
Hacktivity
Last Update: 2023-07-26 - Detailed consumer / business accounts features
Introducing Sogexia
Sogexia is the first French fintech acting as innovative payment services operator and manages at international scale a wide range of innovative banking solutions: payment accounts, physical and virtual cards, mobile payment and additional services. Controlled by the ACPR, Sogexia offers its services to consumers, public institutions and businesses from all sectors.
In concrete terms, we provide our customers with an online bank account they can provision with bank transfers or online payments. This account entitles physical debit cards ownership. Cards can be used in the whole MasterCard network as long as account holds necessary funds.
There are two permission levels:
- standard level, available right after account creation
- upgraded level, available after customer's identity is verified
Upgraded level grants extended usage limits and additional services (bank transfers, ...).
What we'll reward
This program is targeted at our public account management web application https://my.sogexia.com and the related mobile applications (iOS and Android) only.
Rewards will be valued at our discretion according to our own severity evaluation, we especially value vulnerabilities that could be exploited to:
- trigger funds movement beyond our system's restrictions
- perform a significant action on behalf of another user
- gain free access to a normally paid service
- perform an unauthorised operation without an upgraded account
- access to users personal data
Reports must include a detailed realistic attack scenario. We ask you to explain as clearly as you can what an attacker can actually do using the vulnerability you've discovered. We're not interested in customers injecting javascript alerts but a scenario in which a stored XSS allows an attacker to harvest sensitive data from our customers will be rewarded.
What we won't reward
All other web apps, including our corporate site www.sogexia.com, our customer support platform support.sogexia.com and cashback services www.sogexiaclub.com are out of scope. If you find a vulnerability on thoses sites, it won't be rewarded (except of course if it allows an actual security breach impacting my.sogexia.com)
Mobile vulnerabilities will only be accepted if they target the latest application version on a recent - not jailbroken - OS version (Android >= 8, iOS >= 11).
We don't plan to pay rewards for finding bugs not directly related to security (500 errors, incorrect display, usability flaws) but feel free to tell us anyway if you find any :-)
We already know about a few vulnerabilities we don't intend to fix (listed in unqualifying vulnerabilities). Reporting them won't be rewarded unless they give way to another actual vulnerability.
It's also possible that we've already identified but not yet fixed an issue, you won't be rewarded either in this case.
We'll only reward the first person to report a vulnerability, if you come next (unless with a different exploitation proof of concept) you won't be rewarded.
Responsibility charter
By participating to this program, you agree:
- not to target a real customer, whether it be physically or virtually and to only use your own test accounts to reach your goals
- not to impact other customers with your testing
- not to disclose any vulnerability you may discover until we fix it
- to give back funds you may have extracted exploiting a vulnerability
- not to alter data except for what you input yourself
- not to disclose data you may have extracted from our system
- to only extract the bare minimum of data needed to prove your point
- not to edit our system (neither code nor infrastructure)
- not to leave a backdoor after you've proved your point
- not to put the system out of service (using DDoS or exploiting a vulnerability)
- not to put the system under heavy load: refrain from using scanners or don't go beyond 2 requests per second
You can't participate in this program if you're a former or current Sogexia employee or contractor.
Any failure to comply with this charter could be sanctioned with legal actions.
Our commitments
- We'll review your reports as soon as possible and will keep you updated throughout the whole process
- We'll do our best to fix reported vulnerabilities in a timely manner
- Should we decline a report, we'll explain why
- You'll be free to publicly disclose your discovery as soon as we tell you we fixed it (or don't intend to fix it)
- Obviously, funds you have legitimately provisioned your test accounts with are your property and we'll transfer it back to you if you ask so.
Enrollment
We invite you to create an account on https://www.sogexia.com/ouvrir-un-compte and to email us your account username at bugbounty@sogexia.com, so we can provide you with a discount voucher.
Please note that the below limitations apply:
European residency required
Please note that we can only accept customers with a valid European Economic Area address. Since participating in this program starts with creating a customer account, if you can't create an account using your real address, we won't be authorized to verify your identity and upgrade your account.
Identity verification
We're legally bound to verify our upgraded customers identity and will require actual documents according to the type of account you're opening.
Consumer accounts
You'll have to provide actual identification documents and proof of address to upgrade your account.
You may use a screenshot of your YesWeHack profile (making sure the YesWeHack logo is clearly visible) as proof of income.
Business accounts
You'll have to provide an actual company's certificate of incorporation and articles of association as well as identity documents and proof of address for yourself and any other main associates.
Free debit card
When participating in the program, send us an email at bugbounty@sogexia.com, we'll provide you a discount voucher so that you can order and receive a free physical debit card. This will give you access to additional features.
Features list
A few features are only available to our business customers, additionally there are several features that are not implemented in the same way for our consumer and business accounts so may find a vulnerability that only affects one kind of account.
General Features
| Feature | Consumer | Business | Notes |
|---|---|---|---|
| Identity verification | x | x | Business accounts are required to provide documents for several entities |
| Transaction history | x | x | |
| User preferences | x | x | |
| Phone number update | x | x | |
| Email address update | x | x | |
| postal address update | x | x |
Transfers
| Feature | Consumer | Business | Notes |
|---|---|---|---|
| Add transfer beneficiary | x | x | |
| Emit a single Transfer | x | x | |
| Emit several grouped transfers | x | x | |
| Emit an instant transfer | x | x | Limited to other Sogexia accounts for now |
| Transfers history | x | x | |
| View Personal IBAN | x | x | |
| Require a secondary French IBAN | x | x |
Debit cards
| Feature | Consumer | Business | Notes |
|---|---|---|---|
| Order a debit card | x | x | Two types of card exist |
| Activate a debit card | x | x | |
| Lock/Unlock a debit card | x | x | |
| Retreive debit card PIN | x | x | |
| Unlock debit card PIN | x | x | After several failed physical attempts |
Credit card deposits
| Feature | Consumer | Business | Notes |
|---|---|---|---|
| Register a loading credit card | x | ||
| Credit card deposit | x | x | Consumer accounts must use a previously registered card |
Cash deposits
| Feature | Consumer | Business | Notes |
|---|---|---|---|
| Retreive personal barcode | x | x |
Direct Debits
| Feature | Consumer | Business | Notes |
|---|---|---|---|
| Direct Debits list | x | x | |
| Provide B2B mandate | x | Business accounts can use the core SEPA scheme as well as the B2B scheme | |
| Revoke core mandate | x | x | |
| Revoke B2B mandate | x | ||
| Reject Direct Debit | x | x | Business accounts can only reject debits that are part of the core scheme |
Changelog
2020-07-10 - Added mobile applications to program scope
2023-02-23 - Reward amounts raised
2023-02-23 - New SEPA direct debit feature
2023-02-23 - New cash deposit feature
2023-07-23 - New Grouped Transfers feature
2023-07-23 - New postal address update feature
2023-07-23 - Added tracking features in iOS and Android apps
2023-07-23 - Detailed consumer / business accounts features
Reward
| Asset value | CVSS | CVSS | CVSS | CVSS |
|---|---|---|---|---|
| €100 | €400 | €1,000 | €2,000 |
Scopes
| Scope | Type | Asset value | Expand rewards grid |
|---|---|---|---|
| https://my.sogexia.com | web-application | ||
Low Medium High Critical | |||
| https://play.google.com/store/apps/details?id=io.gonative.android.xjndrq&hl=fr | mobile-application-android | ||
Low Medium High Critical | |||
| itmss://apps.apple.com/us/app/id1510360750?ign-mscache=1 | mobile-application-ios | ||
Low Medium High Critical | |||
Out of scopes
- all domains not listed in scopes, noteworthy:
- www.sogexia.com
- support.sogexia.com
- www.sogexiaclub.com
- Social media accounts
Vulnerability types
Qualifying vulnerabilities
- Remote code execution
- Code injections
- Authentication flaws
- Authorisation flaws / privilege escalation
- Cross-Site Request Forgery with real security impact
- Cross-Site Scripting
- Clickjacking
- Unciphered HTTP access and mixed content
- Sensitive data exposure
- Sensitive Information Exposure Through insecure data storage on mobile device
- Leaked information from Mobile (without rooting)
Non-qualifying vulnerabilities
- Already known issues
- Anything we can't reproduce
- Hypothetical flaw or best practices without exploitable POC and concrete attack scenario
- Untechnical attacks (phishing, social engineered or physical assault)
- Issues that require physical access to a victim's device
- Denial of service attacks
- Any third party provider's software vulnerabilities including MasterCard network
- Vulnerable version of libraries (for example ‘jquery’) without demonstrable attack vector
- Logout and other instances of low-severity Cross-Site Request Forgery
- Already known CSRF vulnerability in transaction category management
- User enumeration through registration form
- Technical information disclosure
- Missing security-related HTTP headers which do not lead directly to a vulnerability
- Self XSS unless stored
- Password and account recovery policies, such as reset link expiration or password complexity
- Email configuration
- Exploits that are only possible on Android version 7 and below
- Exploits that are only possible on IOS version 10 and below
- Exploits that are only possible on a jailbroken device
- Lack of code obfuscation
- Lack of binary protection / jailbreak and root detection / anti-debugging controls
- Crashing your own application
- SSL cypher suites
- SSL Pinning
Hunting requirements
Account access
You can create a customer account online but note we're legally bound to only accept European Economic Area residents.
Hunters collaboration
When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.
For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.
