Bug Bounty Program
MoneyKit encourages members of the security community to find vulnerabilities with our systems. To this end, we pay monetary rewards to those who report meaningful vulnerabilities.
Any MoneyKit-maintained domain, API, documentation, or repository is in-scope for this program. Out-of-scope domains or properties may be accepted at MoneyKit's discretion.
The following are not within the scope of this program:
- Sandbox access
- MoneyKit Playground
- Clickjacking on pages with no sensitive actions
- Generally known vulnerabilities without a working proof-of-concept
- Denial-of-service attacks
- Attacks requiring social engineering or physical access to another user's device
- Vulnerabilities due to unpatched or outdated browsers or devices
We will use our best efforts to meet the following SLAs for this program:
- From your report to our first response: 2 business days
- From our first response to our triage report: 5 business days
- From our triage report to our payment of a reward: 10 business days
Non-Disclosure and Confidentiality Policy
We require that you do not disclose any vulnerabilities to the public or any third party. Such disclosure will disqualify you from this program.
Please communicate with us by email to firstname.lastname@example.org.
- Please provide a detailed report with reproducible steps.
- If the issue cannot be reproduced, it is not eligible for a reward.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to demonstrate impact.
- If we receive duplicate reports from others, we will reward only the first usable report.
- If multiple vulnerabilities stem from the same issue, we will reward only for the issue.
- Do not cause privacy violations, destruction of data, or interruption or degradation of our services.
- Only interact with accounts you own or with the explicit permission of the account holder.
- Do not use commercial or open-source scanners.
Violation of any program rules may disqualify you from this program.
We reward vulnerability reporters at our discretion. Reward amounts will depend upon the severity of the vulnerability and the quality of the report. This chart indicates the kinds of rewards we intend to pay:
|Remote code execution on servers, SQL injection
|Authentication bypass, confidential data leak
|Filesystem access, website/documentation modification
|Incorrect access control, non-confidential data leak