Monolith (https://monolith.xyz/ ) is building a non-custodial consumer banking replacement. We believe we can replicate the consumer banking experience with no central entity holding all of our user’s assets.
We at Monolith take security seriously. We are calling out to all security researchers worldwide to help us identify and fix weaknesses on our offering. Monolith is the world’s first non-custodial banking replacement, it is a very ambitious project, and we need your help to succeed! If you have discovered a bug, please contact us and join the Monolith Bug Bounty as soon as possible and we will make sure that you get your reward!
Note that: This program is for the disclosure of software security vulnerabilities only. If you believe your Monolith account has been compromised, make sure to contact support IMMEDIATELY via our support form .
Monolith will make a best effort to meet the following SLAs for security researchers participating in our program:
We’ll try to keep you informed about our progress throughout the process.
Participation in the Monolith Bug Bounty program requires you to adhere to “Responsible Disclosure”. Responsible Disclosure includes:
Please provide us with the following information when submitting a bug to this program:
This program has been setup to drive Monolith’s mission forward. Our goal is to provide the best way for people to use their crypto. Monolith is here to help our customer’s safeguard their assets, of primary interest to this endeavor are their:
The Monolith Bug Bounty scope covers all software vulnerabilities in the in- scope services (as detailed in the scoping section of this bug bounty) provided by Monolith. A valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Monolith or any of Monolith’s customers.
Given the non-custodial nature of our relationship with our users. The most important class of bugs we’re looking for are ones that would cause our users to lose their funds or have them rendered frozen and unusable within their Smart Contract Wallet.
Any vulnerability where an attacker can siphon assets from our users in an unintended way is of most interest to Monolith and will be rewarded accordingly.
Our relationship between our users and their funds are governed by our Smart Contract Wallet a.k.a. The Consumer Contract Wallet. Please test the latest released version of our smart contract wallet. Researchers should only look for bugs under the latest release version commit.
The Consumer Contract Wallet: https://github.com/tokencard/contracts/releases
At Monolith we store, process, and transmit sensitive data pertaining to our customers. We store data that can be used to associate real-world identities to wallets on the blockchain. We have also built services that allow our users to move their crypto from their wallets to their own Visa debit cards, this requires us to transmit and process Cardholder Data. As a result Monolith’s infrastructure adheres to the PCI-DSS standard. We also pride ourselves on being GDPR compliant.
The Monolith platform has two entry points exposed to the internet. These two resources are both within the scope of the Monolith Bug Bounty:
Before discussing your findings publicly, please allow us time to fix the vulnerability and ask our permission before doing so.
Follow HackerOne's disclosure guidelines .
All rights of interpretation of the Monolith Bug Bounty are reserved to Monolith. Monolith decides whether to reward a bug disclosure and how much will be rewarded. Any individual or team participant should not violate any laws and regulations during testing.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping build the world’s first non-custodial banking replacement!
|Scope Type||Scope Name|
Firebounty have crawled on 2020-02-05 the program Monolith on the platform Hackerone.