Description

Welcome to the Monzo public bug bounty program! πŸš€ At Monzo we aim to create a banking service that makes our customers financial lives better and easier. Our mantra is β€œmake money work for everyone” and we mean it! πŸ‘ We have created several apps to provide intuitive, helpful, and enjoyable experiences across our range of products πŸ’–. We won’t sacrifice security though! So if you find a security bug in one of our apps or services, this is the place to report it! Happy hunting!

Bounties
Low
0.1 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 9.4
Exceptional
9.5 - 10.0
Tier 1
Β£
200
1,500
4,500
8,250
12,500
Tier 1
Β£200 - Β£12,500
Tier 2
Β£
125
950
3,750
6,500
10,000
Tier 2
Β£125 - Β£10,000
Rules of engagement
Required
Not applicable
max. 2 requests/sec
Not applicable

⚠️ By participating in this program, you agree to:

πŸ§‘β€πŸ« Discussing and disclosing vulnerabilities
We know that some researchers who find really interesting bugs would like to discuss them or share them with others, like:

  • Presenting findings at security conferences
  • Writing blog posts about discoveries
  • Creating videos that present proof-of-concepts
  • Discussing findings in social media platforms, like Reddit

We kindly ask that you don't discuss or disclose the details of bugs you have reported to us though without our consent. We need time to fix the bugs! πŸ§‘β€πŸ”§

Once the bug is fixed and confirmed to no longer be vulnerable, we're happy to collaborate on safely presenting discoveries to the wider security community 🀝.

Validation times

We will validate all submissions within the below timelines, once your submission has been verified by Intigriti.
Submissions validated outside of this may be awarded a €25 bonus.

Vulnerability Severity Time to validate
Exceptional 2 Working days
Critical 2 Working days
High 5 Working days
Medium 15 Working days
Low 15 Working days

This remains at the discretion of Monzo Bank to award.

Check our fix
We offer up to €50 bonus to verify a resolved issue for us (when requested).

This remains at the discretion of Monzo Bank to award.

Domains

*.monzo.com

Tier 1
Wildcard

The crux of Monzo where the APIs live as well as Monzo Business and the main web site

*.monzo.me

Tier 1
Wildcard

Houses the services for the pay me / request payment feature

*.prod-ffs.io

Tier 1
Wildcard

Where our internet-facing services are accessed

iOS

The public seed of the Monzo app on iOS

Android

The public seed of the Monzo app on Android

URL

We use a third-party, Discourse for our community forums. Third-parties are out of scope for our programs.

This is our connection to Okta for internal authentication. Third-parties are out of scope for our programs.

In scope

ℹ️ Introduction

πŸ‘‹ Welcome to the Monzo public bug bounty program! We're glad to have you onboard! πŸš€

Monzo takes the security of our products seriously, as keeping them as safe as possible keeps our customers just as safe πŸ”’. We consider security a high priority at Monzo, but there are only so many eyes we can get to look at our products with a security focus.
We see huge value in the contributions of the security community and the breath of creativity and diverse thinking that they can provide.

We do our best to catch and squash bugs before products release, but we believe getting more, independent eyes looking will help find any bugs that we missed. Together we can make Monzo’s products safer for everyone! πŸ‘

πŸ˜“ Worst-Case Scenarios

At Monzo, our worst-case scenarios revolve around our customers. Scenarios we would consider show stoppers include:

  • Customer accounts being taken over
  • Money being stolen from our customers
  • Our customers personal information being disclosed to unauthorised entities
  • Payment card details being stolen
  • Attackers defrauding our systems

Really anything that could lead to or aid an attacker to attack our customers, commit fraud, or impact the services we provide within the in-scope assets.

πŸ’¬ No-bounty bugs

There are some issues that we won't pay bounties for without a proven exploit. However, in their unproven state we'd still be interested to hear about them.

  • Blind SSRF without sensitive data being returned (such as HTTP and DNS ping-backs)
  • Self-XSS without a way to compromise other users (e.g. using HTTP request smuggling / tunnelling)
  • HTTP request smuggling / tunnelling without any proven impact
  • Host header injection without proven business impact

πŸ—£οΈ Feedback
If you have any suggestions or feedback about our program, whether good or bad, we would love to hear your thoughts! You can send these to us using the anonymous form at the link below.

Program feedback link

We can't check feedback all the time though, so please don't use this for submission or support queries.

Out of scope

πŸ₯‰ Third-parties

The third-party systems we use are out of scope for our program.

We don't have explicit permission for researchers to test them. Examples of third-parties we use are below, but this list is just a handful:

  • Okta
  • Discourse
  • Mailgun
  • Adjust
  • Braze

πŸ—οΈ OAuth2

At Monzo, every API call needs to be authenticated in some way. We do this by using OAuth2 clients which are turned into bearer tokens. Some features are meant to be used by unauthenticated users (think people who don't have a Monzo account but want to pay a Monzo customer, or a customer who hasn't authenticated yet). To allow this, we make use of public OAuth2 clients with limited capabilities.

To help researchers prioritise their efforts, we've provided the below list of public OAuth2 clients that are out-of-scope. It may not have every public client, but should contain the main ones.

  • oauth2client_00009dFUFY76z95Llb6GmX
  • oauth2client_00009dFUM4BKfa5YIDRG4H
  • oauth2client_00009dPfUCceDJVoX5djgf
  • oauth2client_00009eSdYUPISh6oAUCeyP
  • oauth2client_00009ETVigce5mXattBI8H
  • oauth2client_00009f5dqwqJ3TWDzcpQsT
  • oauth2client_00009f5ehvesBnSjqJi1lB
  • oauth2client_00009fOPyTRaXFu7CrGzWz
  • oauth2client_00009fUtrFdXdQ0IlO5eID
  • oauth2client_00009io4Ks1KpjvH51tlaL
  • oauth2client_00009io7fjJAijLGwxzY5x
  • oauth2client_00009WbGxg4fIiPQD7raLp
  • oauth2client_00009XXTN0biZ3vgvysb21
  • oauth2client_0000ATbSRBo8E4Es6Ss3k6
  • oauth2client_0000ATfyzfPucTcqsdvQ6z
  • oauthclient_00008zhm3PSIjngfsfonmT
  • oauthclient_000094oi2ytifdsiO84Xfl
  • oauthclient_000097JsUCy1aF4Hud2iJN
  • oauthclient_00009BNHPUMGlKOkL9kg5Z
  • oauthclient_000094PvINDGzT3k6tz8jp
  • oauth2client_0000AjcHJnoEt7UzxFbKT4
  • oauth2client_0000AhsW1TrOpmk82bds9Z

🎫 Issues

Several issues are not in-scope of the Monzo public bug bounty program and will not result in an award. These issues are listed in their respective categories below.

πŸ“¦ General

  • Issues already known to Monzo by internal testing will be marked as duplicates
  • Issues that are theoretical only with no realistic exploitation scenarios
  • Issues that require unrealistic, unlikely, and complex end user interactions to be exploited
  • Transport security (SSL/TLS) issues without proof-of-exploits (but within the bound of the two points above).
  • Issues based upon social engineering or physical access to end user devices
  • Intentionally performing DoS / DDoS attacks
  • Bypassing rate-limiting or the non-existence of rate-limiting
  • Brute-force attacks (such as password spraying)
  • Attacks against third-party systems Monzo uses (such as Okta)
  • Issues requiring an person-in-the-middle scenario to be exploited
  • Issues that require an end user to already be compromised (e.g. the result of an account takeover)
  • Disclosure of OAuth client IDs and secrets without proof of exploitation
  • Public zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis
  • Missing email best practices (invalid / incomplete / missing SPF / DKIM / DMARC records, etc.)
  • Software version disclosure / banner identification issues / descriptive error messages or headers without sensitive information in them (e.g. stack traces, application, or server errors)
  • Verbose messages / files / directory listings without leaking any sensitive information
  • API key disclosure used for non-sensitive activities / actions
  • Leaked information in archiver sites, search engines and other web scrapers without a proven flaw in Monzo's systems leading to the behaviour

πŸ•ΈοΈ Web applications and APIs

  • API key disclosure without proven business impact
  • Username / email address enumeration
  • Account pre-staging / OAuth squatting attacks
  • Content spoofing and text injection issues without showing an attack vector / without being able to modify HTML / CSS
  • Missing best practices for Content Security Policy (CSP)
  • Missing HttpOnly, Secure, or SameSite attributes on cookies
  • Reverse tabnapping
  • Cross-site request forgery with no or low impact
  • Presence of autocomplete attribute on input forms
  • Files with metadata present
  • CORS misconfigurations on non-sensitive endpoints
  • Missing security-related HTTP headers (X-XSS-Protection, X-Frame-Options, Strict-Transport-Security, etc.)
  • Best practice violations (password complexity, expiration, re-use, etc.)
  • Clickjacking without proven impact / unrealistic user interaction required
  • CSV injection
  • Sessions not being invalidated (logout, enabling 2FA / MFA, etc.)
  • Email bombing
  • Homograph / homoglyph attacks
  • XML-RPC enabled
  • Subdomain takeover without taking over the subdomain
  • Arbitrary file upload without being able to load the uploaded file
  • Cloud credentials / keys without proving exploitability (e.g. proving accounts can be used to authenticate)

πŸ“± Mobile Applications

  • No or ineffective jailbreak / root detection
  • No or ineffective anti-reversing controls (e.g. obfuscation, runtime tampering, debugging, emulator detection)
  • No or ineffective certificate validation and pinning
  • Disclosure of paths in binary (such as file system paths of the system where the app was compiled)
  • Disclosure of API keys for non-sensitive uses
  • Exploits only possible upon a jailbroken or rooted end user device
Severity assessment

This program follows Intigriti's contextual CVSS standard

FAQ

πŸ”‘ How do I get credentials for the app?

No credentials will be provided in this public program. Please use your own credentials but note that no refunds will be issued for transactions during testing of the Monzo assets

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Overall stats
submissions received
144
average payout
Β£317
accepted submissions
N/A
total payouts
N/A
Last 90 day response times
avg. time first response
< 2 days
avg. time to decide
< 6 days
avg. time to triage
< 3 days
Activity
12/13
logo
m6m6
created a submission
12/11
logo
rfcyborg
created a submission
12/10
Monzo Bank
closed a submission
12/10
Monzo Bank
closed a submission
12/9
Monzo Bank
closed a submission
12/9
Monzo Bank
unsuspended the program
12/9
Monzo Bank
closed a submission
12/7
Monzo Bank
suspended the program
12/7
logo
yonkou_00x
created a submission
12/7
logo
yonkou_00x
created a submission