Getmomo : Private Bug Bounty Program
The safety and security of our customers’ data, and the reliability of our products and services, are of utmost importance to Getmomo. Therefore, we aim to design and make products and services with the highest levels of security and reliability. Despite our best efforts, due to the highly complex and sophisticated nature of our products and services, vulnerabilities and errors may still be present in our products and services.
This policy describes Getmomo’s approach to requesting and receiving reports related to potential vulnerabilities and errors in its products and services from those that interact with such products and services.
Customers, users, researchers, partners and any other person that interacts with Getmomo’s products and services are encouraged to report identified vulnerabilities and errors with such products and services.
The following products, domains and services are in scope:
getmomo.de
getmomo.app
getmomo.net
Any other domains, APIs and mobile apps held or distributed by GetMomo Financial GmbH
The following classes of findings are considered out of scope for this program unless the reporter can demonstrate a concrete, exploitable security impact on our users or systems.
Theoretical vulnerabilities, best-practice deviations, or configuration observations that do not demonstrate a concrete security impact. This includes, but is not limited to: missing or misconfigured security-related HTTP headers and cookie flags (including HSTS), SSL/TLS configuration weaknesses (e.g., certificate issues, cipher suite preferences), missing email authentication records (SPF, DKIM, DMARC), enabled GraphQL introspection, presence of autocomplete attributes on web forms, and open ports or services without a demonstrated exploit.
Information disclosure that does not lead to a demonstrable security impact (e.g., stack traces, path or directory listings, software version banners, internal IP addresses, EXIF metadata).
CVEs that have no demonstrated exploit, or that were publicly disclosed fewer than 30 days before the submission date.
Vulnerabilities that affect only outdated or end-of-life browsers and platforms.
Content or text injection, clickjacking or UI redressing, and tabnabbing, unless a meaningful security impact can be demonstrated.
Cross-site scripting (XSS) that requires the victim to modify their own browser or session (e.g., self-XSS), or that cannot be leveraged to affect other users, including XSS or open redirects exploitable only via manipulation of HTTP request headers.
Low-severity cross-site request forgery (CSRF) on non-sensitive actions (e.g., login, logout, unauthenticated forms, shopping cart updates).
CSV injection without a demonstrated path to code execution or data exfiltration.
Attack scenarios that depend on an active man-in-the-middle position, physical access to a victim's device, or social engineering of our staff or contractors.
Physical security concerns, including office access, tailgating, and building security.
Denial of service (DoS) or distributed denial of service (DDoS) attacks.
Absence or bypass of rate limiting, brute-force protections, or CAPTCHA mechanisms.
Ability to send unsolicited bulk messages to users (e.g., email, SMS, or in-app message flooding).
Session management observations without a demonstrated exploit (e.g., session token longevity, missing logout on password change, concurrent sessions).
Weak password policy observations (e.g., minimum length, complexity rules, password reuse).
User enumeration via any vector (e.g., login responses, registration flows, API endpoints, common CMS paths).
Pre-account takeover scenarios (e.g., account creation via OAuth prior to victim registration).
Password reset tokens leaked via HTTP Referer headers to third-party services.
Vulnerabilities in third-party systems or assets that are not under our operational control.
Credentials or secrets exposed on assets under our control that fall outside the program's defined scope.
Subdomain takeover without a fully demonstrated, exploitable vulnerability, or on domains outside the program scope.
Disclosed or misconfigured public API keys that do not pose a security risk (e.g., Google Maps, Firebase, analytics or advertising platform keys).
Broken links or potential social media account hijacking.
Malicious file upload without demonstrated impact beyond the upload itself (e.g., EICAR test files, executable uploads).
Blind SSRF limited to DNS or HTTP pingback without further demonstrated impact.
The preferred method for contacting Getmomo regarding such vulnerabilities and errors is by using the form present on this page.
Getmomo highly appreciates the efforts made by the reporting party in identifying the vulnerability or error. Reporting of such vulnerabilities and errors will contribute to improving the security and reliability of our product and services.
Please note that providing your contact details is entirely voluntary. If you choose to provide contact details, Getmomo will process this information on the basis of Art. 6(1)(f) GDPR (legitimate interest in improving IT security), solely for the purpose of following up on your report. For further information on how we process your personal data, including retention periods and your rights as a data subject, please refer to our Privacy Policy: <https://getmomo.de/datenschutz>
By making a report to Getmomo using the form on this page, or otherwise communicating a report to Getmomo, regarding vulnerabilities and errors, you agree to the following terms:
Getmomo may use your report for any purpose deemed relevant by Getmomo, including without limitation, for the purpose of correcting any vulnerabilities and errors that are reported and that Getmomo deems to exist and to require correction. To the extent your report contains proposals for changes or improvements, you grant Getmomo a non-exclusive, worldwide, royalty-free right to use such proposals in any manner related to the security and improvement of Getmomo's products and services (einfaches Nutzungsrecht gemäß § 31 Abs. 2 UrhG), to the extent permitted by applicable law.
You confirm to Getmomo that:
You have not exploited or used in any manner, and will not exploit or use in any manner, the discovered vulnerabilities and/or errors (other than for the purposes of reporting to Getmomo);
You have not engaged, and will not engage, in testing/research of systems with the intention of harming Getmomo, its customers, employees, partners or suppliers;
You have not used, misused, deleted, altered or destroyed, and will not use, misuse, delete, alter or destroy, any data that you have accessed or may be able to access in relation to the vulnerability and/or error discovered;
You have not conducted, and will not conduct, social engineering, spamming, phishing, denial-of-service or resource-exhaustion attacks;
You have not tested, and will not test, the physical security of any property, building, plant or factory of Getmomo;
You have not breached, and will not breach, any applicable laws in connection with your report and your interaction with Getmomo product or service that lead to your report.
You agree not to disclose information related to your report to any third party until Getmomo has confirmed remediation. Disclosure to your own legal counsel is permitted at any time, subject to their professional confidentiality obligations.
Getmomo aims to acknowledge reports within 5 business days, but does not guarantee that you will receive a response related to your report.
You agree that you are making your report without any expectation or requirement of reward or other benefit, financial or otherwise, for making such a report, and without any expectation or requirement that the vulnerabilities and/or errors reported are corrected by Getmomo.
Getmomo considers activities conducted in accordance with this policy to constitute authorized conduct and will not pursue civil or criminal claims related to such activities. If you comply with this policy, Getmomo will not initiate legal action against you in connection with your report. In particular, Getmomo will not assert any claims under § 202a of the German Criminal Code (StGB) (spying on data), § 202b StGB (interception of data) or § 202c StGB (preparation of spying and interception of data), provided that the reporting person has acted exclusively within the scope of this policy and without intent to cause damage. Getmomo also waives civil claims pursuant to § 823 of the German Civil Code (BGB) for actions directly related to the security research described in this policy.
This Policy shall be subject to German Law. The exclusive place of jurisdiction for all disputes arising from or in connection with it is Berlin, to the extent permitted by law. This Policy is published in both German and English. In the event of any inconsistency or discrepancy between the German-language version and the English-language version, the German-language version shall prevail.
We maintain a private bug bounty program on YesWeHack. It is invitation-only and focused on impactful vulnerabilities. This policy applies to reports submitted through the VDP form; separate terms apply to bounty-eligible submissions. If you believe your expertise could be valuable, feel free to include your YesWeHack username to a VDP report. Researchers who demonstrate strong signal, quality and impact may receive an invitation.
This program crawled on the 2026-03-23 is sorted as cvd.
FireBounty © 2015-2026
