FireBounty
52212 policies in database
Link to program      
2022-04-11
Moneybox Bug Bounty logo
Thank
Gift
HOF
Reward

Reward

Moneybox Bug Bounty

Company

Moneybox helps more than 600,000 customers save and invest for their future. We offer cash savings products and long term investment products. As with all investing, your capital is at risk.

Program Rules

  • We believe that no technology is perfect and that working with skilled security researchers is crucial in identifying weaknesses in our technology.
  • If you believe you've found a security bug in our service, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.
  • Any type of denial of service attacks is strictly forbidden, as well as any interference with network equipment and Moneybox infrastructure.

Eligibility and Responsible Disclosure

  • We are happy to thank everyone who submits valid reports which help us improve the security of Moneybox however, only those that meet the following eligibility requirements may receive a monetary reward:
  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability
  • Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through yeswehack.com
  • You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
  • You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about requests per second).
  • You must not leak, manipulate, or destroy any user data.
  • You must not be a former or current employee of Moneybox or one of its contractors.
  • Reports about vulnerabilities are examined by our security analysts.
  • Our analysis is based on worst case exploitation of the vulnerability, as is the reward we pay.
  • No vulnerability disclosure, including partial is allowed for the moment.

In Scope

Scope Type Scope Name
android_application

https://play.google.com/store/apps/details?id=com.moneyboxapp
api

https://api.moneyboxapp.com/
ios_application

https://apps.apple.com/gb/app/moneybox-save-and-invest/id1049797239
web_application

https://admin.moneyboxapp.org/
web_application

https://admin-roundups.moneyboxapp.org/
web_application

https://sycamore.moneyboxapp.org/

Out of Scope

Scope Type Scope Name
web_application

The Moneybox public website https://www.moneyboxapp.com/ and other moneyboxapp.com / moneyboxapp.org domains not listed are out of scope.
web_application

Content served by the Cloudflare Access service (https://moneyboxapp.cloudflareaccess.com/*) is out of scope. These pages intentionally do not set a CORS Allow-Origin policy. We have seen this reported several times as a vulnerability, but it is intended behaviour and is considered out of scope.
web_application

Security concerns originating from https://moneyboxapp.onelogin.com/ are typically considered out of scope. These pages and their content are served by OneLogin, and any issues should be reported to them directly. However, if an exploit explicitly enables bypassing OneLogin to access Moneybox systems or leaking Moneybox sensitive data, it is crucial to raise the concerns to both OneLogin and Moneybox.

Firebounty have crawled on 2022-04-11 the program Moneybox Bug Bounty on the platform Yeswehack.

FireBounty © 2015-2025

Legal notices | Privacy policy