Description

What we do: We're opening up finance and changing the way the world pays. Empowering businesses in every industry to create first-class financial experiences for their customers. We build on top of the Open Banking and PSD2 standards to provide APIs for our customers to use to provide financial data and payment initiation services.

Bounties
Low
0.1 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 9.4
Exceptional
9.5 - 10.0
Tier 1
175
900
2,250
4,000
6,000
Tier 1
€175 - €6,000
Tier 2
125
625
1,550
2,750
4,000
Tier 2
€125 - €4,000
Tier 3
75
350
850
1,500
2,250
Tier 3
€75 - €2,250
Rules of engagement
Required
Not applicable
max. 10 requests/sec
X-Intigriti-Username: {Username}

By participating in this program, you agree to:

  • Respect the Community Code of Conduct
  • Respect the Intigriti Terms and Conditions
  • Respect the scope of the program
  • Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)
Domains

api.truelayer[-sandbox].com

Tier 1
URL

The majority of our API endpoints live here

auth.truelayer[-sandbox].com

Tier 1
URL

Our service for getting OAuth access tokens to access our APIs

login-api.truelayer[-sandbox].com

Tier 1
URL

login.truelayer[-sandbox].com

Tier 1
URL

Where you can connect your bank account and use Open Banking to pull data such as transactions

onboarding-api.truelayer.com

Tier 1
URL

Used in the developer console

pay-api.truelayer[-sandbox].com

Tier 1
URL

pay.truelayer[-sandbox].com

Tier 1
URL

Some of our older payment API endpoints live here rather than on api.truelayer.com

paydirect.truelayer[-sandbox].com

Tier 1
URL

Some of our older payment API endpoints live here rather than on api.truelayer.com

payment.truelayer[-sandbox].com

Tier 1
URL

Our hosted payments page for merchants that want us to manage the UI screens for making payments

payouts.truelayer[-sandbox].com

Tier 1
URL

Our Payouts API

users-api.truelayer.com

Tier 1
URL

Internal service for managing users

C# SDK

Tier 2
Other

console-backend.truelayer[-sandbox].com

Tier 2
URL

console.truelayer[-sandbox].com

Tier 2
URL

Our developer console where you can login, create applications, manage your OAuth client ID/secret, upload public keys for request signing, view transactions

hpp.truelayer[-sandbox].com

Tier 2
URL

iOS SDK

Tier 2
Other

Java SDK

Tier 2
Other

PHP SDK

Tier 2
Other

React Native SDK

Tier 2
Other

Rust SDK

Tier 2
Other

TrueLayer for Magento (Magento plugin)

Tier 2
Other

TrueLayer for WooCommerce (WordPress plugin)

Tier 2
Other

https://wordpress.org/plugins/truelayer-for-woocommerce/ is our WordPress plugin allowing you to use TrueLayer as a checkout option in your WooCommerce store. The source code is also available on GitHub.

truelayer-signing

Tier 2
Other

https://github.com/TrueLayer/truelayer-signing is our open source library for generating signed requests for calling TrueLayer APIs. Many languages are supported including Rust, C#, NodeJS, Go, Java and PHP.

webhooks.truelayer[-sandbox].com

Tier 2
URL

*.truelayer.cloud

Tier 3
Wildcard

*.truelayer.com

Tier 3
Wildcard

*.truelayer.io

Tier 3
Wildcard

banks.truelayer.com

Out of scope
URL

careers.truelayer.com

Out of scope
URL

docs.truelayer.com

Out of scope
URL

https://truelayer.com/contact/

Out of scope
URL

index.truelayer.com

Out of scope
URL

info.truelayer.com

Out of scope
URL

signin.truelayer.com

Out of scope
URL

statuspage.truelayer.com

Out of scope
URL

support.truelayer.com

Out of scope
URL

truelayer.zendesk.com

Out of scope
URL
In scope

Instructions

See our extensive docs for help using our APIs. We advise you to use the sandbox environment for testing so that you do not need to go through our Know Your Customer (KYC) checks. All our payments APIs require KYC, which you will most likely not pass unless you are a genuine customer. Our sandbox environment is very similar to production.

All domains with -sandbox in are for the sandbox environment, and most have a production equivalent without -sandbox. e.g. api.truelayer-sandbox.com is the sandbox version of api.truelayer.com, and has the exact same endpoints.

You may wish to use our Postman and Insomnia collections, and Insomnia signing plugin for performing API requests:

What we're most interested in

  • Bugs with demonstrable security impact
  • Cross-tenant access control issues (e.g. no two clients should be able to access data belonging to the other)
  • Critical issues like RCE or SQL injections
  • Access to internal systems
  • Flaws causing unauthenticated PII leakage

Timeframes

We will validate all submissions within the below timelines (once your submission has been verified by Intigriti)
Submissions validated outside of this will be awarded a €25 bonus. This remains at the discretion of TrueLayer to award.

Exceptional: 5 working days
Critical: 5 working days
High: 10 working days
Medium: 20 working days
Low: 30 working days

Working hours = Mon-Fri 9am - 5pm GMT/BST

Check our fix
We offer up to €50 bonus to 'check our fix'. This remains at the discretion of TrueLayer to award.

Out of scope

The contact form at https://truelayer.com/contact/ goes to a third party and SHOULD NOT be tested. Please avoid spamming any contact forms in general, including the live chat. Real people have to review these messages.

Domains

Any domain that is not listed in the Domains section is out of scope for this program. Any domain that is explicitly marked as out of scope in the Domains section is managed through third-party providers and as such MUST NOT be tested.

Application

  • API key disclosure without proven business impact
  • Wordpress usernames disclosure
  • Pre-Auth Account takeover/OAuth squatting
  • Self-XSS that cannot be used to exploit other users
  • Verbose messages/files/directory listings without disclosing any sensitive information
  • CORS misconfiguration on non-sensitive endpoints
  • Missing cookie flags
  • Missing security headers
  • Cross-site Request Forgery with no or low impact
  • Presence of autocomplete attribute on web forms
  • Reverse tabnabbing
  • Bypassing rate-limits or the non-existence of rate-limits.
  • Best practices violations (password complexity, expiration, re-use, etc.)
  • Clickjacking without proven impact/unrealistic user interaction
  • CSV Injection
  • Sessions not being invalidated (logout, enabling 2FA, etc.)
  • Tokens leaked to third parties
  • Anything related to email spoofing, SPF, DMARC or DKIM
  • Content injection without being able to modify the HTML
  • Username/email enumeration
  • Email bombing
  • HTTP Request smuggling without any proven impact
  • Homograph attacks
  • XMLRPC enabled
  • Banner grabbing/Version disclosure
  • Not stripping metadata of files
  • Same-site scripting
  • Subdomain takeover without taking over the subdomain
  • Arbitrary file upload without proof of the existence of the uploaded file
  • Blind SSRF without proven business impact (pingbacks are not sufficient)
  • Disclosed/misconfigured Google Maps API keys
  • Host header injection without proven business impact

General

  • In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
  • Spam, social engineering and physical intrusion
  • DoS/DDoS attacks or brute force attacks
  • Vulnerabilities that only work on software that no longer receive security updates
  • Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
  • Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
  • Reports that state that software is out of date/vulnerable without a proof-of-concept
Severity assessment

This program follows Intigriti's contextual CVSS standard

FAQ

Where can we get credentials for the app?

You can self-register on the Console application but please don’t forget to use your @intigriti.me address.

Do I need a bank account to test with?

No, in sandbox there is a mock bank available which simulates a real bank account with money. However it is not 100% equivalent to a real bank account, so there may be some edge cases where a vulnerability using the mock bank does not result in a genuine vulnerability with a real bank account. We will investigate any reports to see if they are reproducible in production, and if not we will mark the report as informative.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Researchers
last contributors
logo
logo
logo
logo
logo
logo
leaderboard
logo
logo
logo
logo
logo
logo
Overall stats
submissions received
151
average payout
€357
accepted submissions
13
total payouts
€3,925
Last 90 day response times
avg. time first response
< 2 days
avg. time to decide
< 2 weeks
avg. time to triage
< 2 days
Activity
3/26
TrueLayer
closed a submission
3/26
logo
created a submission
3/24
logo
created a submission
3/21
TrueLayer
closed a submission
3/21
TrueLayer
closed a submission
3/21
TrueLayer
closed a submission
3/20
logo
created a submission
3/20
logo
created a submission
3/19
logo
created a submission
3/19
logo
created a submission