Last Update: 2020-07-10 - Added mobile applications to program scope
Sogexia is the first French fintech acting as innovative payment services operator and manages at international scale a wide range of innovative banking solutions: payment accounts, physical and virtual cards, mobile payment and additional services. Controlled by the ACPR, Sogexia offers its services to consumers, public institutions and businesses from all sectors.
In concrete terms, we provide our customers with an online bank account they can provision with bank transfers or online payments. This account entitles physical debit cards ownership. Cards can be used in the whole MasterCard network as long as account holds necessary funds.
There are two permission levels:
Upgraded level grants extended usage limits and additional services (bank transfers, ...).
This program is targeted at our public account management web application https://my.sogexia.com and the related mobile applications (iOS and Android) only.
Rewards will be valued at our discretion according to our own severity evaluation, we especially value vulnerabilities that could be exploited to:
All other web apps, including our corporate site www.sogexia.com, our customer support platform support.sogexia.com and cashback services www.sogexiaclub.com are out of scope. If you find a vulnerability on thoses sites, it won't be rewarded (except of course if it allows an actual security breach impacting my.sogexia.com)
Mobile vulnerabilities will only be accepted if they target the latest application version on a recent - not jailbroken - OS version (Android >= 8, iOS >= 11).
We don't plan to pay rewards for finding bugs not directly related to security (500 errors, incorrect display, usability flaws) but feel free to tell us anyway if you find any :-)
We already know about a few vulnerabilities we don't intend to fix (listed in unqualifying vulnerabilities). Reporting them won't be rewarded unless they give way to another actual vulnerability.
It's also possible that we've already identified but not yet fixed an issue, you won't be rewarded either in this case.
We'll only reward the first person to report a vulnerability, if you come next (unless with a different exploitation proof of concept) you won't be rewarded.
By participating to this program, you agree:
You can't participate in this program if you're a former or current Sogexia employee or contractor.
Any failure to comply with this charter could be sanctioned with legal actions.
Please note that we can only accept customers with a valid European Economic Area address. Since participating in this program starts with creating a customer account, if you can't create an account using your real address, we won't be authorized to verify your identity and upgrade your account.
We're legally bound to verify our upgraded customers identity, you'll have to provide actual identification documents and proof of address to upgrade your account.
When participating in the program, send us an email at email@example.com, we'll provide you a discount voucher so that you can order and receive a free physical debit card. This will give you access to additional features.
2020-07-10 - Added mobile applications to program scope
|Scope Type||Scope Name|
|Scope Type||Scope Name|
all domains not listed in scopes, noteworthy:
Social media accounts
This program leverage 8 scopes, in 3 scopes categories.