FireBounty
79207 policies in database
Link to program      
2024-07-29
2025-03-11
Maya - Public Bug Bounty Program logo
Thank
Gift
HOF
Reward

Reward

Maya - Public Bug Bounty Program

About

Maya

Maya combines a feature-rich wallet and a secure, progressive digital banking experience powered by Maya Bank that lets you call the shots as you spend, save, grow, invest, and master your money. As the money app that millions use daily, Maya gives today’s generation of Filipino money makers a real chance to succeed and become bolder versions of themselves.

Maya Application

This app is critical to us, as it's our main application where almost all of our services can be found.
(Digital Wallet, Cards, MayaBank Savings and Loan, Bills payment).

Program Rules

Testing Policy and Responsible Disclosure

Please adhere to the following rules while performing research on this program:

  • Denial of service (DoS) attacks on Maya applications, servers, networks or infrastructure are strictly forbidden.
  • Avoid tests that could cause degradation or interruption of our services.
  • Do not use automated scanners or tools that generate large amount of network traffic.
  • Do not leak, manipulate, or destroy any user data or files in any of our applications/servers.
  • Do not copy any files from our applications/servers and disclose them.
  • No vulnerability disclosure, full, partial or otherwise, is allowed.

Reward Eligibility

We are happy to thank everyone who submits valid reports which help us improve the security of Maya, however only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability (see below).
  • The report must contain the following elements:
    • Clear textual description of the vulnerability, how it can be exploited, the security impact it has on the application, its users and Maya, and remediation advice on fixing the vulnerability
    • Proof of exploitation: screenshots demonstrating the exploit was performed, and showing the final impact
    • Provide complete steps with the necessary information to reproduce the exploit, including (if necessary) code snippets, payloads, commands etc
  • You must not break any of the testing policy rules listed above
  • You must not be a former or current employee of Maya or one of its contractors.

Reward amounts are based on:

  • Reward grid of the report's scope
  • CVSS scoring and actual business impact of the vulnerability upon performing risk analysis

Reports of leaks and exposed credentials

In the context of this program, we do not intend to encourage, accept or reward reports of leaks or exposed credentials.
We will only consider vulnerabilities or leaks that are identified directly on the scope of this program.

Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers.

This excludes, but is not limited to:

  • Stolen credentials gathered from unidentified sources (e.g. …)
  • Exposed credentials on an out-of-scope assets
  • Exposed GitHub/GitLab (or similar) instance
  • Exposed secrets (e.g. API tokens/keys or other technical credentials)
  • Exposed PII on an out-of-scope asset

To summarize our policy, you may refer to this table :

Source of leak is in-scope Source of leak is out-of-scope
Impact is in-scope (e.g. valid credentials on an in-scope asset) Eligible Not Eligible
Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset) Eligible Not Eligible

Complements about our scopes

Maya App

API Documentation

API API documentation link(s)
pg.paymaya.com https://developers.maya.ph/docs/online-payments
https://payoutapi.maya.ph https://developers.maya.ph/docs/disbursement-api-v1https://developers.maya.ph/reference/initiate-sessionhttps://developers.maya.ph/reference/submit-member-filehttps://developers.maya.ph/reference/get-wallet
https://op.paymaya.com https://developers.maya.ph/docs/maya-mini-appshttps://developers.maya.ph/docs/maya-mini-apps-technical-guide
https://connect.paymaya.com https://developers.maya.ph/docs/maya-mini-apps-technical-guide
https://paymayabiller-prod.paymaya.com https://developers.maya.ph/docs/biller-api

In Scope

Scope Type Scope Name
android_application

https://play.google.com/store/apps/details?id=com.paymaya
api

https://api.paymaya.com/
api

https://pg.paymaya.com
api

https://payoutapi.maya.ph/
api

https://op.paymaya.com/
api

https://connect.paymaya.com/
api

https://paymayabiller-prod.paymaya.com/
ios_application

https://apps.apple.com/am/app/maya-your-all-in-one-money-app/id991673877
web_application

https://appgallery.huawei.com/app/C101186357

Out of Scope

Scope Type Scope Name
undefined

All domains or subdomains not listed in the above list of 'Scopes'
undefined

Non-Production environments (test, dev, staging, or sandbox)
web_application

Other subdomain of paymaya.com that has no direct integration/part of the mobile application

This policy crawled by Onyphe on the 2024-07-29 is sorted as bounty.

FireBounty © 2015-2025

Legal notices | Privacy policy