Happy New Year to all our hackers!
This is just a small reminder that there is still until 7th January 2024 23:59:59 GMT to submit a finding related to api.truelayer-sandbox.com and get a bonus:
Please refer to our previous announcement for more details!
The TrueLayer Security Team
The TrueLayer security team would like to thank you for all your hard work on our bug bounty program this year, and would like to offer an end-of-year treat for anyone who finds themselves with a bit of time for practicing their API testing skills.
Starting from 18th December 2023 00:00:00 GMT to 7th January 2024 23:59:59 GMT we will be awarding bonuses for the following:
Note that you must use our sandbox API for testing purposes, which allows you to test making payments using fake money so no bank accounts are required. The sandbox environment closely matches our production environment, but we will review submissions to make sure they are reproducible in our production environment. In the unlikely event that the issue only affects sandbox we will still consider your report to be valid but the severity of the issue may be limited.
For help getting started with using our API, please see our quickstart guides. We have Insomnia and Postman collections available to make testing easier. You may also wish to look at our various SDK libraries (e.g. for .NET here or for Java here) to see how we expect our customers to integrate with our APIs.
Please note that triage time by both Intigriti and TrueLayer may be slightly delayed over the Christmas and New Year period so we cannot guarantee your submission will be reviewed in the normal timeframes, but rest assured we will review your reports and pay bonuses as soon as we can.
Happy Christmas and happy hunting! 🤑🤑🤑
The TrueLayer security team
We've noticed some of you are not using your
@intigriti.me email address for registering on our Console. Please remember that the scope requires you to do this. This is so that when we review our logs we can easily identify traffic from security researchers.
If you require multiple accounts for testing purposes, consider using emails like
email@example.com which will both go to your inbox. Please see the Intigriti docs for more info.
We bring you good news - we've increased the amount we pay out for bounties!
We now pay €5000 for an exceptional vulnerability in our tier 1 assets (up from €3000). Payouts have been increased for all severities and tiers, with the highest severity issues being increased the most.
We hope this helps encourage you to test out our APIs. To do this you need to register for an account on console.truelayer.com, where you can generate credentials for accessing the APIs. Our quickstart docs are a good starting point. We have both Postman and Insomnia collections available, which can be proxied through tools such as Burp Suite. Please remember to use rate limiting for automated requests as indicated in the program scope, and please remember to add a custom header with your Intigriti username (details provided in the program scope).
You can also use our SDKs to call our APIs, these are provided in languages such as .NET and Java. We pay out for exploitable vulnerabilities found in these open source SDKs too, they fall under our tier 2 assets. Please review the program details to see the full list of what's in scope.
Thank you and happy hunting :)
Just a quick update to please ask that you avoid testing the contact form on our public website. This sends data to a third party and each XSS payload is causing quite a lot of noise for our team that is responding to these contact form messages.
Please also remember to review the out of scope section, for example support.truelayer.com is out of scope as it is run by a third party.
Thank you for your co-operation!
Just a quick update with what's going on with TrueLayer's bug bounty program!
We've recently added some open source libraries to our in scope list, including a WordPress plugin that lets you use TrueLayer as a checkout option in a WooCommerce store. You will be able to see the full end to end process of using TrueLayer for making ecommerce payments by registering in our Console and using our sandbox environment for testing with pretend money. You can read the docs here for instructions for setting this up. Please note that krokedil.com is a third party website and is outside the scope of the bug bounty program.
We've also added our Rust, PHP and iOS SDK libraries which are intended for use by our clients for building integrations with our payment APIs. If you like to review source code for vulnerabilities, this is your opportunity :)
We've recently added MFA support to our developer website. This needs to be enabled in your account by going to the top right menu, clicking on User settings, then following the steps where it says Multi-factor authentication (MFA). You can use a tool like Google Authenticator or a Yubikey to enable MFA. If you are able to bypass the MFA requirement for an MFA enabled user account and login to the Console without MFA, we will offer a €500 bonus to the first valid report :)
Thanks and looking forward to more submissions!
Hi all! It’s been about a month since we launched our private bug bounty program on Intigriti and I wanted to share an update on how it’s going so far.
Many of you have registered accounts in our Console and have been looking for logic and frontend issues there, which we thank you for! Due to all the submissions so far being in the Console, we’ve moved the Console to tier 2 and would like to draw your attention to our APIs where we still have lots of bounty budget available to pay out for any issues you find, whether it’s to do with cross-account access issues (e.g. horizontal privilege escalation), injection issues related to any API parameters or business logic concerns.
We have Postman or Insomnia collections available for most of our API endpoints so you don’t have to work out how to build the API requests yourself. Both Postman and Insomnia support HTTP proxies so can be configured to send traffic through tools such as Burp Suite. Our sandbox environment does not require real money to be used when making payments, so we recommend you use sandbox with our mock bank. The sandbox environment works exactly like production so if you find a way to use our Payouts API to pay money out of another of your own client accounts in sandbox we definitely want to hear from you ;)
We have just added three open source repos to the scope; our .NET and Java SDKs, and our signing repo with packages in various programming languages to automatically sign HTTP requests to our APIs where necessary. If you like doing secure code reviews or would like to look for issues with our GitHub actions or CircleCI workflows, you could look here!
Finally as a friendly reminder, please remember to set your
X-Intigriti-Username header with your username as the value when making requests to any of our domains :)
Looking forward to any new submissions from you all!