M
Loading Monxo Bank
Personal Business Exchange Staking Fees Security Support Help Center Contact Log In Get Started

Bug Bounty Program

Help us keep MonxoBank secure. Earn rewards for finding and reporting security vulnerabilities.

Report a Bug View Scope

Up to $250,000

Maximum reward for critical vulnerabilities

Average payout: $2,500 | Response time: 24 hours

Reward Structure

Compensation based on vulnerability severity

Critical

$50K - $250K

Remote code execution, fund theft, complete account takeover

High

$10K - $50K

Privilege escalation, authentication bypass, sensitive data exposure

Medium

$1K - $10K

XSS, CSRF, information disclosure, business logic flaws

Low

$100 - $1K

UI/UX issues, missing security headers, rate limiting issues

Program Scope

What's in scope and what's not

In Scope

  • monxobank.com (web application)
  • Mobile apps (iOS & Android)
  • API endpoints (api.monxobank.com)
  • Smart contracts (audited)
  • Trading engine
  • Authentication systems
  • Payment processing
  • Card issuance system

Out of Scope

  • Third-party services
  • Denial of Service (DoS)
  • Social engineering
  • Physical attacks
  • Self-XSS
  • Missing security headers
  • Rate limiting issues
  • Spam functionality

Program Rules

Guidelines for participating researchers

Responsible Disclosure

  • Give us reasonable time to fix the issue before public disclosure (typically 90 days)
  • Make a good faith effort to avoid privacy violations, service disruption, and data destruction
  • Don't exploit a vulnerability beyond what is necessary to demonstrate it
  • Don't access or modify other users' data without explicit permission
  • Report the vulnerability to us first before sharing with third parties

Testing Guidelines

  • Only test against accounts you own or have explicit permission to test
  • Use your own funds or test funds for any financial testing
  • Don't perform any testing that could degrade our services for other users
  • Stop testing immediately if you discover a critical vulnerability

Safe Harbor

We will not pursue legal action against researchers who:

  • Follow our program rules and responsible disclosure guidelines
  • Make a good faith effort to avoid privacy violations and data destruction
  • Do not exploit vulnerabilities beyond what is necessary for demonstration
  • Report vulnerabilities to us directly

Out of Bounds

Activities that are not authorized include:

  • Any form of denial of service testing
  • Accessing or attempting to access other users' data
  • Social engineering attacks against our employees or users
  • Physical attacks against our infrastructure or personnel
  • Spam or phishing capabilities
  • Any illegal activities

How to Submit a Report

Provide detailed information for faster resolution

A good report includes:

  • Summary

    Clear description of the vulnerability

  • Steps to Reproduce

    Detailed reproduction steps with screenshots/videos

  • Impact Assessment

    Potential impact and affected users

  • Environment

    Browser, OS, app version, etc.

  • Remediation Suggestions

    Optional but appreciated recommendations

Submit your report via our secure PGP-encrypted form:

security@monxobank.com

PGP Key: Use our PGP key (fingerprint: 8B4E 9C2A 3D5F 6B7C) for sensitive disclosures. We respond within 24 hours.

Hall of Fame

Researchers who have helped secure our platform

@security_pro

12 vulnerabilities found

$87,500 earned

@crypto_hunter

8 vulnerabilities found

$45,200 earned

@bug_bounty_king

6 vulnerabilities found

$32,800 earned