By participating in this program, you agree to:

• Respect the Community Code of Conduct
• Respect the Intigriti Terms and Conditions
• Respect the scope of the program
• Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)
• Provide detailed but to-the point reproduction steps
• Include a clear attack scenario, a step by step guide in the PoC is highly appreciated

Validation times

We will validate all submissions within the below timelines, once your submission has been verified by Intigriti.
Submissions validated outside of this may be awarded a €25 bonus.

This remains at the discretion of Finom to award.

Check our fix
We offer up to €50 bonus to verify a resolved issue for us (when requested).
This remains at the discretion of Finom to award.

Here are our highest priority concerns:

• Full database access and SQL injections
• Remote Code Execution (RCE)
• Full privileged access to critical infrastructure assets
• Account takeover
• Authorization bypass
• Access to sensitive client data
• Ability to initiate transactions/orders
• Access to internal resources impacting business operations
• WAF bypassing

Feedback
Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here:

Program feedback link
Please note this form will be checked periodically and should not be used for submission or support queries.

Domains

• Any domain that is not listed in the Domains section, is out of scope for this program
• API for mobile applications

Application

• DoS/DDoS
• API key disclosure without proven business impact
• Pre-Auth Account takeover/OAuth squatting
• Self-XSS that can't be used to exploit other users
• Reverse tabnabbing
• Verbose messages/files/directory listings without disclosing any sensitive information
• CORS misconfiguration on non-sensitive endpoints
• Missing cookie flags or security headers
• Cross-site Request Forgery with no or low impact
• Presence of autocomplete attribute on web forms
• Bypassing rate-limits or the non-existence of rate-limits without significant impaction (users enumeration, sending a lot of notification, etc.. some api endpoints has throttling with high limits)
• Best practices violations (password complexity, session expiration, re-use after reload, etc.)
• Clickjacking without proven impact/unrealistic user interaction
• CSV Injection
• Email links injection if only the target side parse links in the text
• Anything related to email spoofing, SPF, DMARC or DKIM
• Content injection without being able to modify the HTML
• Email / SMS / Mobile Push bombing
• HTTP Request smuggling without any proven impact
• Banner grabbing/Version disclosure
• Not stripping metadata of files
• Subdomain takeover without taking over the subdomain
• Arbitrary file upload
• Blind SSRF without proven business impact (pingbacks aren't sufficient)
• Host header injection without proven business impact

General

• In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
• Spam, phishing, social engineering and physical intrusion
• Homograph attacks
• DoS/DDoS attacks or brute force attacks
• Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
• Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
• Reports that state that software is out of date/vulnerable without a proof-of-concept

Mobile

• Shared links leaked through the system clipboard
• Any URIs leaked because a malicious app has permission to view URIs opened
• The absence of certificate pinning
• Sensitive data in URLs/request bodies when protected by TLS
• Lack of obfuscation
• Path disclosure in the binary
• Lack of jailbreak & root detection
• Crashes due to malformed URL Schemes
• Lack of binary protection (anti-debugging) controls, mobile SSL pinning
• Snapshot/Pasteboard leakage
• Runtime hacking exploits (exploits only possible in a jailbroken environment)
• API key leakage used for insensitive activities/actions

This program follows Intigriti's triage standards

Where can we get credentials for the app?

You can self-register on the application but please don’t forget to use your @intigriti.me email address.

Can I disclose the vulnerability publicly?

Public disclosure is only allowed after the vulnerability has been fixed and you have received permission from our team. Unauthorized disclosure may result in disqualification from the program.

Can I participate in the program if I am an employee or contractor of Finom?

No, current employees, contractors, and their immediate family members are not eligible to participate in the bug bounty program.

What if I find a vulnerability that is already known or reported by someone else?

If a vulnerability is already known or has been reported by another researcher, it will be marked as a duplicate, and no reward will be granted.

Are there any legal restrictions or requirements I should be aware of?

Participants must comply with all applicable laws and regulations while participating in the bug bounty program. Unauthorized access to systems, data, or accounts beyond what is explicitly allowed in the program's scope is prohibited.

What if I have feedback or suggestions for improving the bug bounty program?

We welcome your feedback and suggestions. Please use the feedback form provided in the "Feedback" section to share your thoughts with us.