Policy

Monzo is always looking to proactively enhance its security to identify new threats and help ensure the safety of customer accounts and information.

Because threats to Monzo and customers are ever present, we value the important role the security community plays in helping us mitigate information security risk. If you have information about possible security vulnerabilities in any Monzo product or service, please submit a report using these guidelines.

Note: This is a Vulnerability Disclosure Program. If you need Monzo customer support, or are reporting fraud/phishing please contact customer support through the Monzo app.

Response Targets

Monzo will make a best effort to meet the following response targets for hackers participating in our program:

• Time to first response (from report submit) - 2 business days

• Time to triage (from report submit) - 2 business days

• We’ll try to keep you informed about our progress throughout the process.

Process and Guidelines

• Your submission will be reviewed and validated by a member of the Monzo Vulnerability Management Team.

• When submitting a vulnerability, please provide simple concise steps in order for us to reproduce the issue.

• If the same vulnerability is found on multiple hosts/services, please include these all in a single report.

• We consider the first report received about a vulnerability to be treated as unique, and subsequent reports will be marked as a duplicate.

Disclosure Policy

• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organisation.

• At all times act responsibly and in the best interests of Monzo and our customers.

• Do not break the law.

• Do not use social engineering techniques against our customers or staff.

• Do not put any Monzo data or our customer data at risk.

• Please provide a detailed and complete submission (masking or encrypting if necessary).

• Please reference any existing vulnerability information where relevant.

• Follow HackerOne's disclosure guidelines.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Confidentiality

In the interest of fostering coordinated disclosure, Monzo will collaborate with finders in good faith who wish to disclose vulnerabilities. To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification, before any further disclosure.

Rewards

This program does not provide monetary rewards for bug submissions.