Banner object (1)

5283 policies in database
  Back Link to program      
Sogexia logo
Hall of Fame



Last Update: 2020-07-10 - Added mobile applications to program scope

Introducing Sogexia

Sogexia is the first French fintech acting as innovative payment services operator and manages at international scale a wide range of innovative banking solutions: payment accounts, physical and virtual cards, mobile payment and additional services. Controlled by the ACPR, Sogexia offers its services to consumers, public institutions and businesses from all sectors.

In concrete terms, we provide our customers with an online bank account they can provision with bank transfers or online payments. This account entitles physical debit cards ownership. Cards can be used in the whole MasterCard network as long as account holds necessary funds.

There are two permission levels:

  • standard level, available right after account creation
  • upgraded level, available after customer's identity is verified

Upgraded level grants extended usage limits and additional services (bank transfers, ...).

What we'll reward

This program is targeted at our public account management web application and the related mobile applications (iOS and Android) only.

Rewards will be valued at our discretion according to our own severity evaluation, we especially value vulnerabilities that could be exploited to:

  • trigger funds movement beyond our system's restrictions
  • perform a significant action on behalf of another user
  • gain free access to a normally paid service
  • perform an unauthorised operation without an upgraded account
  • access to users personal data

Reports must include a detailed realistic attack scenario. We ask you to explain as clearly as you can what an attacker can actually do using the vulnerability you've discovered. We're not interested in customers injecting javascript alerts but a scenario in which a stored XSS allows an attacker to harvest sensitive data from our customers will be rewarded.

What we won't reward

All other web apps, including our corporate site, our customer support platform and cashback services are out of scope. If you find a vulnerability on thoses sites, it won't be rewarded (except of course if it allows an actual security breach impacting

Mobile vulnerabilities will only be accepted if they target the latest application version on a recent - not jailbroken - OS version (Android >= 8, iOS >= 11).

We don't plan to pay rewards for finding bugs not directly related to security (500 errors, incorrect display, usability flaws) but feel free to tell us anyway if you find any :-)

We already know about a few vulnerabilities we don't intend to fix (listed in unqualifying vulnerabilities). Reporting them won't be rewarded unless they give way to another actual vulnerability.

It's also possible that we've already identified but not yet fixed an issue, you won't be rewarded either in this case.

We'll only reward the first person to report a vulnerability, if you come next (unless with a different exploitation proof of concept) you won't be rewarded.

Responsibility charter

By participating to this program, you agree:

  • not to target a real customer, whether it be physically or virtually and to only use your own test accounts to reach your goals
  • not to impact other customers with your testing
  • not to disclose any vulnerability you may discover until we fix it
  • to give back funds you may have extracted exploiting a vulnerability
  • not to alter data except for what you input yourself
  • not to disclose data you may have extracted from our system
  • to only extract the bare minimum of data needed to prove your point
  • not to edit our system (neither code nor infrastructure)
  • not to leave a backdoor after you've proved your point
  • not to put the system out of service (using DDoS or exploiting a vulnerability)
  • not to put the system under heavy load: refrain from using scanners or don't go beyond 2 requests per second

You can't participate in this program if you're a former or current Sogexia employee or contractor.

Any failure to comply with this charter could be sanctioned with legal actions.

Our commitments

  • We'll review your reports as soon as possible and will keep you updated throughout the whole process
  • We'll do our best to fix reported vulnerabilities in a timely manner
  • Should we decline a report, we'll explain why
  • You'll be free to publicly disclose your discovery as soon as we tell you we fixed it (or don't intend to fix it)
  • Obviously, funds you have legitimately provisioned your test accounts with are your property and we'll transfer it back to you if you ask so.


European residency required

Please note that we can only accept customers with a valid European Economic Area address. Since participating in this program starts with creating a customer account, if you can't create an account using your real address, we won't be authorized to verify your identity and upgrade your account.

Identity verification

We're legally bound to verify our upgraded customers identity, you'll have to provide actual identification documents and proof of address to upgrade your account.

Free debit card

When participating in the program, send us an email at, we'll provide you a discount voucher so that you can order and receive a free physical debit card. This will give you access to additional features.


2020-07-10 - Added mobile applications to program scope

In Scope

Scope Type Scope Name




Out of Scope

Scope Type Scope Name

all domains not listed in scopes, noteworthy:


Social media accounts




This program leverage 8 scopes, in 3 scopes categories.

FireBounty © 2015-2020

Legal notices