Banner object (1)

5068 policies in database
  Back Link to program      
05/02/2020
Monolith logo
Thanks
Gift
Hall of Fame
Reward

Reward

Monolith

Monolith Bug Bounty

Monolith (https://monolith.xyz/ ) is building a non-custodial consumer banking replacement. We believe we can replicate the consumer banking experience with no central entity holding all of our user’s assets.

Introduction

We at Monolith take security seriously. We are calling out to all security researchers worldwide to help us identify and fix weaknesses on our offering. Monolith is the world’s first non-custodial banking replacement, it is a very ambitious project, and we need your help to succeed! If you have discovered a bug, please contact us and join the Monolith Bug Bounty as soon as possible and we will make sure that you get your reward!

Note that: This program is for the disclosure of software security vulnerabilities only. If you believe your Monolith account has been compromised, make sure to contact support IMMEDIATELY via our support form .

SLA

Monolith will make a best effort to meet the following SLAs for security researchers participating in our program:

  • Time to first response (from report submission) - 2 business days
  • Time to triage (from report submission) - 2 business days
  • Time to bounty (from triage) - 14 business days

We’ll try to keep you informed about our progress throughout the process.

Participation Requirements

Participation in the Monolith Bug Bounty program requires you to adhere to “Responsible Disclosure”. Responsible Disclosure includes:

  • Providing a reasonable amount of time to fix a vulnerability prior to sharing details of the said vulnerability with any other party.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
  • Not defrauding Monolith customers or Monolith itself in the process of participating.
  • Not profiting from or allowing any other party to profit from a vulnerability outside of the payouts made by this program.
  • Reporting vulnerabilities with no conditions, demands, or ransom threats.
  • Social Engineering attacks against Monolith employees is deemed a violation with respect to this program. Researchers engaging in Social Engineering attacks against Monolith employees will be banned from this program. We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.
  • And finally, please do not try to sneak into our offices for any reason.

How to submit your vulnerability

Please provide us with the following information when submitting a bug to this program:

  • Summary of the bug
  • Severity of the bug
  • Steps to reproduce
  • Working proof of concept + any support materials (code, screenshots, logs etc)
  • Is any private personal data exposed?
  • Is any private financial data exposed?
  • Are user funds at risk of being lost or frozen?

What we are interested in

This program has been setup to drive Monolith’s mission forward. Our goal is to provide the best way for people to use their crypto. Monolith is here to help our customer’s safeguard their assets, of primary interest to this endeavor are their:

  • Their crypto holdings,
  • Their sensitive personal data, and
  • Their fiat currency balances

The Monolith Bug Bounty scope covers all software vulnerabilities in the in- scope services (as detailed in the scoping section of this bug bounty) provided by Monolith. A valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Monolith or any of Monolith’s customers.

What we are MOST interested in

Given the non-custodial nature of our relationship with our users. The most important class of bugs we’re looking for are ones that would cause our users to lose their funds or have them rendered frozen and unusable within their Smart Contract Wallet.

Any vulnerability where an attacker can siphon assets from our users in an unintended way is of most interest to Monolith and will be rewarded accordingly.

Scope

The Consumer Contract Wallet

Our relationship between our users and their funds are governed by our Smart Contract Wallet a.k.a. The Consumer Contract Wallet. Please test the latest released version of our smart contract wallet. Researchers should only look for bugs under the latest release version commit.

The Consumer Contract Wallet: https://github.com/tokencard/contracts/releases

The Monolith Platform

At Monolith we store, process, and transmit sensitive data pertaining to our customers. We store data that can be used to associate real-world identities to wallets on the blockchain. We have also built services that allow our users to move their crypto from their wallets to their own Visa debit cards, this requires us to transmit and process Cardholder Data. As a result Monolith’s infrastructure adheres to the PCI-DSS standard. We also pride ourselves on being GDPR compliant.

The Monolith platform has two entry points exposed to the internet. These two resources are both within the scope of the Monolith Bug Bounty:

https://api.production.tkn.zone/
https://kyc-events.production.tkn.zone/
https://card-onboarding.production.tkn.zone/

Out of scope

  • Transport related attacks
  • Lack of TLS-pinning on the connection from the App to our server
  • Misconfigurations or missing best practices, i.e. lack of headers, content-types, etc
  • Missing best practices in SSL/TLS configuration
  • Attacks on jailbroken/compromised phones, including attacks requiring MITM or physical access to a user's device.
  • Modification of React Native bundle
  • OS vulnerabilities
  • Spam, Phishing, Vishing, Smishing, Social Engineering of customers or staff
  • (D)DoS attacks
  • Our web properties, including but not limited to our website, blog and helpdesk
  • Vulnerabilities or attacks on third-party providers (unless otherwise specified)
  • Vulnerabilities on third party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)
  • Missing best practices in DNS records such as SPF/DKIM
  • Scanner output or Scanner generated reports, including any automated or active exploit tool
  • Information leaks via code repositories, transparency logs etc
  • Clickjacking on pages with no sensitive actions
  • Unauthenticated/logout/login CSRF
  • Initial verification flows (via email or SMS)

Disclosure Policy

Before discussing your findings publicly, please allow us time to fix the vulnerability and ask our permission before doing so.

Follow HackerOne's disclosure guidelines .

Legal

All rights of interpretation of the Monolith Bug Bounty are reserved to Monolith. Monolith decides whether to reward a bug disclosure and how much will be rewarded. Any individual or team participant should not violate any laws and regulations during testing.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

THANK YOU !

Thank you for helping build the world’s first non-custodial banking replacement!

In Scope

Scope Type Scope Name
android_application

io.tokencard.app.android

ios_application

io.tokencard.app.ios

web_application

api.production.tkn.zone

web_application

kyc-events.production.tkn.zone

web_application

card-onboarding.production.tkn.zone

web_application

https://github.com/tokencard/contracts


Firebounty have crawled on 2020-02-05 the program Monolith on the platform Hackerone.

FireBounty © 2015-2020

Legal notices