October is an online lending marketplace where European SMEs access financing from private and institutional investors.
The security of our users is the number-one priority at October. Over the years, the tech team has been working on improving the security of the platform to protect money, documents and personal information entrusted to October.
We appreciate your help in reporting any issue that might lead to a security breach. We’ll do our best to fix the issue quickly.
Our stack is available here: we mainly use Node.js, MongoDB, Ember.js.
You must provide a clear vulnerability description with detailed steps to reproduce the issue and screenshots as necessary, following these rules:
In the context of this program, we do not intend to encourage, accept or reward reports of leaks that are not applicable to our program’s scope and identified outside of our program’s scope, such as:
Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers.
Almost all of users (lender, borrower, partner, administrator) use our web application available with production or pre-production. You can use the production or pre-production environment to do your tests, but the pre-production environment will allow to test more features.
On the staging environment, we use the sandbox of our payment provider, that allows you to test inputing / outputing money on your October account.
Since 2021, we released October as a SASS. Our partner can use our Public API to submit loan application automatically for a client / on behalf of borrowers. You can find the documentation attached as october-connect-getting-started-compressed.pdf .
Our SASS is decoupled in 3 modules: document scanner, company scoring and loan application flow.
Our lenders can also use our mobile application to interact with their account (investing, password update, fill their wallet, update their personal data, ...). The mobile application is only available for our lender's community.
Scope Type | Scope Name |
---|---|
android_application | October - https://apps.apple.com/fr/app/october/id1167975760 |
api | api.october.eu |
api | engine.october.eu |
api | xray.october.eu |
api | staging-api.october.eu |
api | staging-engine.october.eu |
api | staging-xray.october.eu |
ios_application | October - https://play.google.com/store/apps/details?id=mobile.lendix.com&hl=en&gl=US |
web_application | app.october.eu |
web_application | staging-app.october.eu |
Scope Type | Scope Name |
---|---|
undefined | Vulnerability in a third-party vendor we use |
web_application | The front website in all locales on https://october.eu, https://it.october.eu, https://es.october.eu, https://nl.october.eu, https://de.october.eu |
This program crawled on the 2023-06-19 is sorted as bounty.
FireBounty © 2015-2024