⚠️ By participating in this program, you agree to:

• Follow the Community Code of Conduct
• Honour the Intigriti Terms and Conditions
• Respect the scope of the program
• Never use or target accounts you don't have explicit permission to do so with

🧑‍🏫 Discussing and disclosing vulnerabilities
We know that some researchers who find really interesting bugs would like to discuss them or share them with others, like:

• Presenting findings at security conferences
• Writing blog posts about discoveries
• Creating videos that present proof-of-concepts
• Discussing findings in social media platforms, like Reddit

We kindly ask that you don't discuss or disclose the details of bugs you have reported to us though without our consent. We need time to fix the bugs! 🧑‍🔧

Once the bug is fixed and confirmed to no longer be vulnerable, we're happy to collaborate on safely presenting discoveries to the wider security community 🤝.

ℹ️ Introduction

👋 Welcome to the Monzo vulnerability disclosure program! 🚀

Monzo takes the security of our products seriously, as keeping them as safe as possible keeps our customers just as safe 🔒. We consider security a high priority at Monzo, but there are only so many eyes we can get to look at our products with a security focus.

So! We would love to hear about any security bugs that you might find lurking within 😶‍🌫️.

We do our best to catch and squash bugs before products release, but we believe getting more, independent eyes looking will help find any bugs that we missed. Together, we can make Monzo’s products safer for everyone! 👍

😓 Worst-Case Scenarios

At Monzo, our worst-case scenarios revolve around our customers. Scenarios we would consider show stoppers include:

• Customer accounts being taken over
• Money being stolen from our customers
• Our customers personal information being disclosed to unauthorised entities
• Payment card details being stolen
• Attackers defrauding our systems

Really anything that could lead to or aid an attacker to attack our customers, commit fraud, or impact the services we provide within the in-scope assets.

🗣️ Feedback

If you have any suggestions or feedback about our program, whether good or bad, we would love to hear your thoughts! You can send these to us using the anonymous form at the link below.

Program feedback link

We can't check feedback all the time though, so please don't use this for submission or support queries.

🌐 Domains

The following domain is out-of-scope of the Monzo vulnerability disclosure program as it is run by one of our partners:

• community.monzo.com - operated by one of our partners

🗃️ Files and endpoints

The following files and endpoints are out-of-scope of the Monzo vulnerability disclosure program:

• developers.monzo.com/env.js - contains public application OAuth tokens with limited grant types

🎫 Issues

Several issues are not in-scope of the Monzo vulnerability disclosure program and will not result in an award. These issues are listed in their respective categories below.

📦 General

• Issues already known to Monzo by internal testing will be marked as duplicates
• Issues that are theoretical only with no realistic exploitation scenarios
• Issues that require unrealistic, unlikely, and complex end user interactions to be exploited
• Issues based upon social engineering or physical access to end user devices
• Intentionally performing DoS / DDoS attacks
• Rate-limiting or brute-force issues on unauthenticated endpoints
• Bypassing rate-limiting or the non-existence of rate-limiting
• Issues requiring an person-in-the-middle scenario to be exploited
• Issues that require an end user to already be compromised (e.g. the result of an account takeover)
• Disclosure of OAuth client IDs and secrets without proof of exploitation
• Public zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis
• Missing email best practices (invalid / incomplete / missing SPF / DKIM / DMARC records, etc.)
• Software version disclosure / banner identification issues / descriptive error messages or headers without sensitive information in them (e.g. stack traces, application, or server errors)
• Verbose messages / files / directory listings without leaking any sensitive information
• API key disclosure used for non-sensitive activities / actions
• Cloud credentials / keys without proving exploitability (e.g. proving accounts can be used to authenticate)

🕸️ Web applications and APIs

• API key disclosure without proven business impact
• Username / email address enumeration
• Account pre-staging / OAuth squatting attacks
• Content spoofing and text injection issues without showing an attack vector / without being able to modify HTML / CSS
• Missing best practices for Content Security Policy (CSP)
• Missing HttpOnly, Secure, or SameSite attributes on cookies
• Reverse tabnapping
• Cross-site request forgery with no or low impact
• Presence of autocomplete attribute on input forms
• Files with metadata present
• CORS misconfigurations on non-sensitive endpoints
• Missing security-related HTTP headers (X-XSS-Protection, X-Frame-Options, Strict-Transport-Security, etc.)
• Best practice violations (password complexity, expiration, re-use, etc.)
• Clickjacking without proven impact / unrealistic user interaction required
• CSV injection
• Sessions not being invalidated (logout, enabling 2FA / MFA, etc.)
• Email bombing
• Homograph / homoglyph attacks
• XML-RPC enabled
• Subdomain takeover without taking over the subdomain
• Arbitrary file upload without being able to load the uploaded file

📱 Mobile Applications

• No or ineffective jailbreak / root detection
• No or ineffective anti-reversing controls (e.g. obfuscation, runtime tampering, debugging, emulator detection)
• No or ineffective certificate validation and pinning
• Disclosure of paths in binary (such as file system paths of the system where the app was compiled)
• Disclosure of API keys for non-sensitive uses
• Exploits only possible upon a jailbroken or rooted end user device

The Monzo vulnerability disclosure program follows Intigriti's contextual CVSS standard for risk ratings.

Where can we get credentials for the app?

You can self-register within the Monzo app, but you must use your @intigriti.me address.

Please be aware, we can't guarantee the recovery of money if you use your own cash or personal account for testing 🙇.