MoneyKit encourages members of the security community to find vulnerabilities with our systems. To this end, we pay monetary rewards to those who report meaningful vulnerabilities.

Program Scope

Any MoneyKit-maintained domain, API, documentation, or repository is in-scope for this program. Out-of-scope domains or properties may be accepted at MoneyKit's discretion.

Out-of-scope Vulnerabilities

The following are not within the scope of this program:

• Sandbox access
• MoneyKit Playground
• Clickjacking on pages with no sensitive actions
• Generally known vulnerabilities without a working proof-of-concept
• Denial-of-service attacks
• Attacks requiring social engineering, physical access to another user's device, or unauthorized access to another user's email
• Vulnerabilities due to unpatched or outdated browsers or devices

SLA

We will use our best efforts to meet the following SLAs for this program:

• From your report to our first response: 2 business days
• From our first response to our triage report: 5 business days
• From our triage report to our payment of a reward: 10 business days

Non-Disclosure and Confidentiality Policy

We require that you do not disclose any vulnerabilities to the public or any third party. Such disclosure will disqualify you from this program.

Program Rules

Please communicate with us by email to security@moneykit.com.

• Please provide a detailed report with reproducible steps.
• If the issue cannot be reproduced, it is not eligible for a reward.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to demonstrate impact.
• If we receive duplicate reports from others, we will reward only the first usable report.
• If multiple vulnerabilities stem from the same issue, we will reward only for the issue.
• Do not cause privacy violations, destruction of data, or interruption or degradation of our services.
• Only interact with accounts you own or with the explicit permission of the account holder.
• Do not use commercial or open-source scanners.

Violation of any program rules may disqualify you from this program.

Rewards

We reward vulnerability reporters at our discretion. Reward amounts will depend upon the severity of the vulnerability and the quality of the report. This chart indicates the kinds of rewards we intend to pay:

Severity	Bounty	Example
Critical	$5,000	Remote code execution on servers, SQL injection
High	$3,000	Authentication bypass, confidential data leak
Medium	$2,000	Filesystem access, website/documentation modification
Low	$1,000	Incorrect access control, non-confidential data leak