Moneytree provides a personal finance management app that uses data aggregation to radically simplify your relationship with money. The service currently supports Japanese and Australian financial institutions and provides a Japanese & English language interface.
This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.
Last updated 24 August 2018 19:16:11 UTC
Technical severity | Reward range
p1 Critical | $4,000 - $5,000
p2 Severe | $2,000 - $3,000
p3 Moderate | $750 - $1,000
p4 Low | $300 - $500
P5 submissions do not receive any rewards for this program.
Target name | Type
app-staging.getmoneytree.com | Website
au-api-staging.getmoneytree.com | API
jp-api-staging.getmoneytree.com | API
myaccount-staging.getmoneytree.com | API
wwws-staging.moneytree.jp/link/ | Website
wwws-staging.moneytree.jp/link/mobile/ | Website
Moneytree staging Android Mobile Application (see below) | Android
Moneytree iOS Mobile Application (production; see below) | iOS
Target name | Type
moneytree.jp | Website
Any production asset of Moneytree KK (excepting the iOS app) | Website
Any domain/property of Moneytree KK not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
For this program, we're inviting researchers test our staging platform, divided in:
Devices: (a) ios and (b) android applications
(a) https://itunes.apple.com/au/app/id586847189 (Production. Read note below!)
(b) https://drive.google.com/open?id=0BzkiY_2JRuZZb1NmMEVWTGZfakk (Staging .apk)
Webclients: (a) general, (b) partners, (c) mobile and (d) oauth
Regional API: (a)(b) our main monolithic API (internally connects to several services)
Guest Service: OAuth
iOS is not friendly for hosting staging versions, so we shared the production link. However, while we allow the use of it to understand the navigation flow, please avoid pentesting against any domain that does not contain staging.
There are no restrictions, but some rate-limits may apply.
4242424242424242(any expiration date)
client_idprovided in the scope URL to test any OAuth flow.
Test Institutions can be used to simulate linking banks, credit card, or
point accounts. To get to the test financial institution, when adding an
account, select 'bank', and then 'test financial institution' - which will
provide you with the options for a test bank/credit card/etc. Other test
institutions can be used to simulate error states.
If you provoke any 500, we are going to receive an alert and fix it as soon as possible. Please, do not continue fuzzing after finding one of these.
change emaildon't ask for old password
We will immensely appreciate that you report all the information you reveal. Our customers deserve to be notified if their private information was shown without their consent. Please make all reports confidentially via the Bugcrowd platform.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
Contact us if you want more information.