Monzo Public Bug Bounty Program - Bug Bounty Program

Description

Welcome to the Monzo public bug bounty program! 🚀 At Monzo we aim to create a banking service that makes our customers financial lives better and easier. Our mantra is “make money work for everyone” and we mean it! 👍 We have created several apps to provide intuitive, helpful, and enjoyable experiences across our range of products 💖. We won’t sacrifice security though! So if you find a security bug in one of our apps or services, this is the place to report it! Happy hunting!

Bounties

Tier 1

200

1,500

4,500

8,250

12,500

Tier 1

£200 - £12,500

Tier 2

125

950

3,750

6,500

10,000

Tier 2

£125 - £10,000

Rules of engagement

@intigriti.me

Required

User agent

Not applicable

Automated tooling

max. 2 requests /sec

Request header

Not applicable

⚠️ By participating in this program, you agree to:

Follow the Community Code of Conduct
Honour the Intigriti Terms and Conditions
Respect the scope of the program

🧑‍🏫 Discussing and disclosing vulnerabilities
We know that some researchers who find really interesting bugs would like to discuss them or share them with others, like:

Presenting findings at security conferences
Writing blog posts about discoveries
Creating videos that present proof-of-concepts
Discussing findings in social media platforms, like Reddit

We kindly ask that you don't discuss or disclose the details of bugs you have reported to us though without our consent. We need time to fix the bugs! 🧑‍🔧

Once the bug is fixed and confirmed to no longer be vulnerable, we're happy to collaborate on safely presenting discoveries to the wider security community 🤝.

Validation times

We will validate all submissions within the below timelines, once your submission has been verified by Intigriti.
Submissions validated outside of this may be awarded a €25 bonus.

Vulnerability Severity	Time to validate
Exceptional	15 Working days
Critical	15 Working days
High	17 Working days
Medium	20 Working days
Low	20 Working days

This remains at the discretion of Monzo Bank to award.

Check our fix
We offer up to €50 bonus to verify a resolved issue for us (when requested).

This remains at the discretion of Monzo Bank to award.

Safe harbour for researchers is applied

Domains

*.monzo.com

Tier 1

Wildcard

The crux of Monzo where the APIs live as well as Monzo Business and the main web site

*.monzo.me

Tier 1

Wildcard

Houses the services for the pay me / request payment feature

*.prod-ffs.io

Wildcard

Where our internet-facing services are accessed

Severity assessment

This program follows Intigriti's contextual CVSS standard

FAQ

🔑 How do I get credentials for the app?

No credentials will be provided in this public program. Please use your own credentials but note that no refunds will be issued for transactions during testing of the Monzo assets

All aboard!

Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.