Context

October is an online lending marketplace where European SMEs access financing from private and institutional investors.

The security of our users is the number-one priority at October. Over the years, the tech team has been working on improving the security of the platform to protect money, documents and personal information entrusted to October.

We appreciate your help in reporting any issue that might lead to a security breach. We’ll do our best to fix the issue quickly.

Our stack is available here: we mainly use Node.js, MongoDB, Ember.js.

Guidelines

You must provide a clear vulnerability description with detailed steps to reproduce the issue and screenshots as necessary, following these rules:

• Report to us directly, never publicly
• Do not over-exploit the issue to find further vulnerabilities or access user data
• Test on your own account, or with the explicit permission of the account owner
• Do not DDoS the platform or make the service unavailable
• If you’re the first to report the vulnerability, you will receive a compensatory reward, depending on the severity of the breach you are reporting

Reports of leaks and exposed credentials

In the context of this program, we do not intend to encourage, accept or reward reports of leaks that are not applicable to our program’s scope and identified outside of our program’s scope, such as:

• Exposed credentials in/from an out-of-scope asset/source
• Sensitive information exposed in/from an out-of-scope asset/source

Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers.

Environments

Web application

Almost all of users (lender, borrower, partner, administrator) use our web application available with production or pre-production. You can use the production or pre-production environment to do your tests, but the pre-production environment will allow to test more features.

On the staging environment, we use the sandbox of our payment provider, that allows you to test inputing / outputing money on your October account.

Public API : October connect

Since 2021, we released October as a SASS. Our partner can use our Public API to submit loan application automatically for a client / on behalf of borrowers. You can find the documentation attached as october-connect-getting-started-compressed.pdf .

Our SASS is decoupled in 3 modules: document scanner, company scoring and loan application flow.

Mobile application

Our lenders can also use our mobile application to interact with their account (investing, password update, fill their wallet, update their personal data, ...). The mobile application is only available for our lender's community.