βΉοΈ Introduction
π Welcome to the Monzo public bug bounty program! We're glad to have you onboard! π
Monzo takes the security of our products seriously, as keeping them as safe as possible keeps our customers just as safe π. We consider security a high priority at Monzo, but there are only so many eyes we can get to look at our products with a security focus.
We see huge value in the contributions of the security community and the breath of creativity and diverse thinking that they can provide.
We do our best to catch and squash bugs before products release, but we believe getting more, independent eyes looking will help find any bugs that we missed. Together we can make Monzoβs products safer for everyone! π
π Worst-Case Scenarios
At Monzo, our worst-case scenarios revolve around our customers. Scenarios we would consider show stoppers include:
- Customer accounts being taken over
- Money being stolen from our customers
- Our customers personal information being disclosed to unauthorised entities
- Payment card details being stolen
- Attackers defrauding our systems
Really anything that could lead to or aid an attacker to attack our customers, commit fraud, or impact the services we provide within the in-scope assets.
π¬ No-bounty bugs
There are some issues that we won't pay bounties for without a proven exploit. However, in their unproven state we'd still be interested to hear about them.
- Blind SSRF without sensitive data being returned (such as HTTP and DNS ping-backs)
- Self-XSS without a way to compromise other users (e.g. using HTTP request smuggling / tunnelling)
- HTTP request smuggling / tunnelling without any proven impact
- Host header injection without proven business impact
π£οΈ Feedback
If you have any suggestions or feedback about our program, whether good or bad, we would love to hear your thoughts! You can send these to us using the anonymous form at the link below.
Program feedback link
We can't check feedback all the time though, so please don't use this for submission or support queries.