FireBounty
46829 policies in database
Link to program      
2019-06-19
2019-09-26
Sogexia logo
Thank
Gift
HOF
Reward

Reward

Sogexia

Last Update: 2023-07-26 - Detailed consumer / business accounts features

Introducing Sogexia

Sogexia is the first French fintech acting as innovative payment services operator and manages at international scale a wide range of innovative banking solutions: payment accounts, physical and virtual cards, mobile payment and additional services. Controlled by the ACPR, Sogexia offers its services to consumers, public institutions and businesses from all sectors.

In concrete terms, we provide our customers with an online bank account they can provision with bank transfers or online payments. This account entitles physical debit cards ownership. Cards can be used in the whole MasterCard network as long as account holds necessary funds.

There are two permission levels:

  • standard level, available right after account creation
  • upgraded level, available after customer's identity is verified

Upgraded level grants extended usage limits and additional services (bank transfers, ...).

What we'll reward

This program is targeted at our public account management web application https://my.sogexia.com and the related mobile applications (iOS and Android) only.

Rewards will be valued at our discretion according to our own severity evaluation, we especially value vulnerabilities that could be exploited to:

  • trigger funds movement beyond our system's restrictions
  • perform a significant action on behalf of another user
  • gain free access to a normally paid service
  • perform an unauthorised operation without an upgraded account
  • access to users personal data

Reports must include a detailed realistic attack scenario. We ask you to explain as clearly as you can what an attacker can actually do using the vulnerability you've discovered. We're not interested in customers injecting javascript alerts but a scenario in which a stored XSS allows an attacker to harvest sensitive data from our customers will be rewarded.

What we won't reward

All other web apps, including our corporate site www.sogexia.com, our customer support platform support.sogexia.com and cashback services www.sogexiaclub.com are out of scope. If you find a vulnerability on thoses sites, it won't be rewarded (except of course if it allows an actual security breach impacting my.sogexia.com)

Mobile vulnerabilities will only be accepted if they target the latest application version on a recent - not jailbroken - OS version (Android >= 8, iOS >= 11).

We don't plan to pay rewards for finding bugs not directly related to security (500 errors, incorrect display, usability flaws) but feel free to tell us anyway if you find any :-)

We already know about a few vulnerabilities we don't intend to fix (listed in unqualifying vulnerabilities). Reporting them won't be rewarded unless they give way to another actual vulnerability.

It's also possible that we've already identified but not yet fixed an issue, you won't be rewarded either in this case.

We'll only reward the first person to report a vulnerability, if you come next (unless with a different exploitation proof of concept) you won't be rewarded.

Responsibility charter

By participating to this program, you agree:

  • not to target a real customer, whether it be physically or virtually and to only use your own test accounts to reach your goals
  • not to impact other customers with your testing
  • not to disclose any vulnerability you may discover until we fix it
  • to give back funds you may have extracted exploiting a vulnerability
  • not to alter data except for what you input yourself
  • not to disclose data you may have extracted from our system
  • to only extract the bare minimum of data needed to prove your point
  • not to edit our system (neither code nor infrastructure)
  • not to leave a backdoor after you've proved your point
  • not to put the system out of service (using DDoS or exploiting a vulnerability)
  • not to put the system under heavy load: refrain from using scanners or don't go beyond 2 requests per second

You can't participate in this program if you're a former or current Sogexia employee or contractor.

Any failure to comply with this charter could be sanctioned with legal actions.

Our commitments

  • We'll review your reports as soon as possible and will keep you updated throughout the whole process
  • We'll do our best to fix reported vulnerabilities in a timely manner
  • Should we decline a report, we'll explain why
  • You'll be free to publicly disclose your discovery as soon as we tell you we fixed it (or don't intend to fix it)
  • Obviously, funds you have legitimately provisioned your test accounts with are your property and we'll transfer it back to you if you ask so.

Enrollment

European residency required

Please note that we can only accept customers with a valid European Economic Area address. Since participating in this program starts with creating a customer account, if you can't create an account using your real address, we won't be authorized to verify your identity and upgrade your account.

Identity verification

We're legally bound to verify our upgraded customers identity and will require actual documents according to the type of account you're opening.

Consumer accounts

You'll have to provide actual identification documents and proof of address to upgrade your account.
You may use a screenshot of your YesWeHack profile (making sure the YesWeHack logo is clearly visible) as proof of income.

Business accounts

You'll have to provide an actual company's certificate of incorporation and articles of association as well as identity documents and proof of address for yourself and any other main associates.

Free debit card

When participating in the program, send us an email at bugbounty@sogexia.com, we'll provide you a discount voucher so that you can order and receive a free physical debit card. This will give you access to additional features.

Features list

A few features are only available to our business customers, additionally there are several features that are not implemented in the same way for our consumer and business accounts so may find a vulnerability that only affects one kind of account.

General Features

Feature Consumer Business Notes
Identity verification x x Business accounts are required to provide documents for several entities
Transaction history x x
User preferences x x
Phone number update x x
Email address update x x
postal address update x x

Transfers

Feature Consumer Business Notes
Add transfer beneficiary x x
Emit a single Transfer x x
Emit several grouped transfers x x
Emit an instant transfer x x Limited to other Sogexia accounts for now
Transfers history x x
View Personal IBAN x x
Require a secondary French IBAN x x

Debit cards

Feature Consumer Business Notes
Order a debit card x x Two types of card exist
Activate a debit card x x
Lock/Unlock a debit card x x
Retreive debit card PIN x x
Unlock debit card PIN x x After several failed physical attempts

Credit card deposits

Feature Consumer Business Notes
Register a loading credit card x
Credit card deposit x x Consumer accounts must use a previously registered card

Cash deposits

Feature Consumer Business Notes
Retreive personal barcode x x

Direct Debits

Feature Consumer Business Notes
Direct Debits list x x
Provide B2B mandate x Business accounts can use the core SEPA scheme as well as the B2B scheme
Revoke core mandate x x
Revoke B2B mandate x
Reject Direct Debit x x Business accounts can only reject debits that are part of the core scheme

Changelog

2020-07-10 - Added mobile applications to program scope
2023-02-23 - Reward amounts raised
2023-02-23 - New SEPA direct debit feature
2023-02-23 - New cash deposit feature
2023-07-23 - New Grouped Transfers feature
2023-07-23 - New postal address update feature
2023-07-23 - Added tracking features in iOS and Android apps
2023-07-23 - Detailed consumer / business accounts features

In Scope

Scope Type Scope Name
android_application

https://play.google.com/store/apps/details?id=io.gonative.android.xjndrq&hl=fr
ios_application

itmss://apps.apple.com/us/app/id1510360750?ign-mscache=1
web_application

https://my.sogexia.com

Out of Scope

Scope Type Scope Name
undefined

all domains not listed in scopes, noteworthy:
undefined

Social media accounts
web_application

www.sogexia.com
web_application

support.sogexia.com
web_application

www.sogexiaclub.com

This program leverage 8 scopes, in 3 scopes categories.

FireBounty © 2015-2024

Legal notices | Privacy policy