By participating in this program, you agree to:

• Respect the Community Code of Conduct
• Respect the Intigriti Terms and Conditions
• Respect the scope of the program
• Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Instructions

See our extensive docs for help using our APIs. We advise you to use the sandbox environment for testing so that you do not need to go through our Know Your Customer (KYC) checks. All our payments APIs require KYC, which you will most likely not pass unless you are a genuine customer. Our sandbox environment is very similar to production.

All domains with -sandbox in are for the sandbox environment, and most have a production equivalent without -sandbox. e.g. api.truelayer-sandbox.com is the sandbox version of api.truelayer.com, and has the exact same endpoints.

You may wish to use our Postman and Insomnia collections, and Insomnia signing plugin for performing API requests:

• Quickstart guide for making a payment - Our most up to date/easy to follow documentation
• Data API Postman guide
• Payments V1 API Postman guide
• Verification Postman guide
• PayDirect Insomnia guide
• Payments V3 API Insomnia guide

What we're most interested in

• Bugs with demonstrable security impact
• Cross-tenant access control issues (e.g. no two clients should be able to access data belonging to the other)
• Critical issues like RCE or SQL injections
• Access to internal systems
• Flaws causing unauthenticated PII leakage

Timeframes

We will validate all submissions within the below timelines (once your submission has been verified by Intigriti)
Submissions validated outside of this will be awarded a €25 bonus. This remains at the discretion of TrueLayer to award.

Exceptional: 5 working days
Critical: 5 working days
High: 10 working days
Medium: 20 working days
Low: 30 working days

Working hours = Mon-Fri 9am - 5pm GMT/BST

Check our fix
We offer up to €50 bonus to 'check our fix'. This remains at the discretion of TrueLayer to award.

Feedback
Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here:
Program Feedback Link
Please note this form will be checked periodically and should not be used for submission or support queries.

Any asset relating to Zimpler is out of scope and should not be tested.

The contact form at https://truelayer.com/contact/ goes to a third party and SHOULD NOT be tested. Please avoid spamming any contact forms in general, including the live chat. Real people have to review these messages.

Domains

Any domain that is not listed in the Domains section is out of scope for this program. Any domain that is explicitly marked as out of scope in the Domains section is managed through third-party providers and as such MUST NOT be tested. The only exception here is insecure configurations that TrueLayer is in control of. Please let us know if we have an insecure configuration, but please ensure you abide by any terms and conditions imposed by the third party during any testing.

Application

• API key disclosure without proven business impact
• Wordpress usernames disclosure
• Pre-Auth Account takeover/OAuth squatting
• Self-XSS that cannot be used to exploit other users
• Verbose messages/files/directory listings without disclosing any sensitive information
• CORS misconfiguration on non-sensitive endpoints
• Missing cookie flags
• Missing security headers
• Cross-site Request Forgery with no or low impact
• Presence of autocomplete attribute on web forms
• Reverse tabnabbing
• Bypassing rate-limits or the non-existence of rate-limits.
• Best practices violations (password complexity, expiration, re-use, etc.)
• Clickjacking without proven impact/unrealistic user interaction
• CSV Injection
• Sessions not being invalidated (logout, enabling 2FA, etc.)
• Tokens leaked to third parties
• Anything related to email spoofing, SPF, DMARC or DKIM
• Content injection without being able to modify the HTML
• Username/email enumeration
• Email bombing
• HTTP Request smuggling without any proven impact
• Homograph attacks
• XMLRPC enabled
• Banner grabbing/Version disclosure
• Not stripping metadata of files
• Same-site scripting
• Subdomain takeover without taking over the subdomain
• Arbitrary file upload without proof of the existence of the uploaded file
• Blind SSRF without proven business impact (pingbacks are not sufficient)
• Disclosed/misconfigured Google Maps API keys
• Host header injection without proven business impact
• Broken link hijacking will be marked as informational and is not eligible for a bounty payout unless significant impact can be demonstrated (e.g. JavaScript resources being loaded from an expired domain)

General

• In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
• Spam, social engineering and physical intrusion
• DoS/DDoS attacks or brute force attacks
• Vulnerabilities that only work on software that no longer receive security updates
• Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
• Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
• Reports that state that software is out of date/vulnerable without a proof-of-concept

This program follows Intigriti's triage standards

Where can we get credentials for the app?

You can self-register on the Console application but please don’t forget to use your @intigriti.me address.

Do I need a bank account to test with?

No, in sandbox there is a mock bank available which simulates a real bank account with money. However it is not 100% equivalent to a real bank account, so there may be some edge cases where a vulnerability using the mock bank does not result in a genuine vulnerability with a real bank account. We will investigate any reports to see if they are reproducible in production, and if not we will mark the report as informative.