Bug Bounty Program
Help us keep MonxoBank secure. Earn rewards for finding and reporting security vulnerabilities.
Reward Structure
Compensation based on vulnerability severity
Critical
Remote code execution, fund theft, complete account takeover
High
Privilege escalation, authentication bypass, sensitive data exposure
Medium
XSS, CSRF, information disclosure, business logic flaws
Low
UI/UX issues, missing security headers, rate limiting issues
Program Scope
What's in scope and what's not
In Scope
- monxobank.com (web application)
- Mobile apps (iOS & Android)
- API endpoints (api.monxobank.com)
- Smart contracts (audited)
- Trading engine
- Authentication systems
- Payment processing
- Card issuance system
Out of Scope
- Third-party services
- Denial of Service (DoS)
- Social engineering
- Physical attacks
- Self-XSS
- Missing security headers
- Rate limiting issues
- Spam functionality
Program Rules
Guidelines for participating researchers
Responsible Disclosure
- Give us reasonable time to fix the issue before public disclosure (typically 90 days)
- Make a good faith effort to avoid privacy violations, service disruption, and data destruction
- Don't exploit a vulnerability beyond what is necessary to demonstrate it
- Don't access or modify other users' data without explicit permission
- Report the vulnerability to us first before sharing with third parties
Testing Guidelines
- Only test against accounts you own or have explicit permission to test
- Use your own funds or test funds for any financial testing
- Don't perform any testing that could degrade our services for other users
- Stop testing immediately if you discover a critical vulnerability
Safe Harbor
We will not pursue legal action against researchers who:
- Follow our program rules and responsible disclosure guidelines
- Make a good faith effort to avoid privacy violations and data destruction
- Do not exploit vulnerabilities beyond what is necessary for demonstration
- Report vulnerabilities to us directly
Out of Bounds
Activities that are not authorized include:
- Any form of denial of service testing
- Accessing or attempting to access other users' data
- Social engineering attacks against our employees or users
- Physical attacks against our infrastructure or personnel
- Spam or phishing capabilities
- Any illegal activities
How to Submit a Report
Provide detailed information for faster resolution
A good report includes:
-
Summary
Clear description of the vulnerability
-
Steps to Reproduce
Detailed reproduction steps with screenshots/videos
-
Impact Assessment
Potential impact and affected users
-
Environment
Browser, OS, app version, etc.
-
Remediation Suggestions
Optional but appreciated recommendations
Submit your report via our secure PGP-encrypted form:
security@monxobank.comPGP Key: Use our PGP key (fingerprint: 8B4E 9C2A 3D5F 6B7C) for sensitive disclosures. We respond within 24 hours.
Hall of Fame
Researchers who have helped secure our platform
@security_pro
12 vulnerabilities found
$87,500 earned
@crypto_hunter
8 vulnerabilities found
$45,200 earned
@bug_bounty_king
6 vulnerabilities found
$32,800 earned