Bug Bounty Program

Help us make customers even safer using our banking products

It is possible that despite strict controls on our banking applications, an error may occur. That's why we ask you to help identify potential vulnerabilities

The security of our banking services is our top priority

Despite our continuous effort, vulnerabilities in our systems can still be present. We actively encourage anyone who believes they have discovered a vulnerability in our systems to act immediately to help us improve and strengthen the safety of our online presence.

As MONETA, we strive for the highest standards of security to keep our customers safe. We recognize how important it is to protect customer privacy and ensure their security. Therefore, we have decided to invite all ethical hackers to help us find bugs and vulnerabilities in our environment and help us improve our security. If you have any questions or would like to submit a vulnerability, please do not hesitate to contact us at bugbounty@moneta.cz.

Our bug bounty program wouldn’t be successful without the help of our external community of researchers. Thank you. See our Hall of Fame.

MONETA Money Bank, a.s. reserves the right to cancel, pause or modify this program at any time. All engagements will be honoured to the conditions in existence at the time of verification of the issue.

Information about rewards

In general, we are interested in receiving reports with vulnerabilities which could lead to data leakage or compromise the confidentiality or integrity of our data which affects user privacy. The reward for the reported findings is determined individually, depending on the severity and quality of the PoC as well as other criteria. However, the maximum rewards for each type of vulnerability are as follows:
Low
Medium
High
Critical
Maximum reward
120 EUR
400 EUR
2 000 EUR
4 000 EUR
Examples
Reflected XSS, Open Redirect
Stored XSS
SQL injection, RCE
Compromising core systems
Maximum reward
Examples
Low
Low
120 EUR
Reflected XSS, Open Redirect
Medium
Medium
400 EUR
Stored XSS
High
High
2 000 EUR
SQL injection, RCE
Critical
Critical
4 000 EUR
Compromising core systems

Multiple bugs of the same type (same or similar technologies) found in short period of time (10 working days at maximum) could be evaluated from second submission with reduced reward. Reward will be paid via a wire transfer to your bank account in Euros (EUR). Other payment methods, like cryptocurrencies or PayPal, are not supported. We are following sanctions and restrictive measures, up-to-date information can be found here

Let’s work on this together to keep us all safe

Together we can get it right

What errors are covered by the reward

At present, MONETA Money Bank’s bug bounty program applies to security vulnerabilities discovered in any of the following web services:
https://www.moneta.cz (no subdomains)
https://ib.moneta.cz (no subdomains)

In addition to the above-mentioned web services, MONETA Money Bank’s bug bounty program also applies to security vulnerabilities discovered in our mobile banking application Smart Banka.

We are not providing any testing accounts or environments.

For effective reporting, please follow these steps

  • Send one bug per one submission at bugbounty@moneta.cz
  • If possible always include at least screenshots or video to the attachment (do not upload videos to YouTube or public file sharing services)
  • All PoC have to be reproducible without any special commercial tool

E-mail subject
[nameof.domain.cz (or mobile app) - type of bug - optional short clarification]
e.g.: moneta.cz - XSS reflected - parameter xyz

PoC template in body of e-mail submission
[short description of the vulnerability, name of impacted URL, IP, or app]

Detailed step-by-step manual to reproduce bug with screenshots
[commands, scripts, and codes in copy and paste format]

  1. First step
  2. Second step
  3. Third step

All attack scenarios and theoretical possible impacts
[you can describe some attack scenarios how bug could be used and what impact could have it]

Supporting material/references
[e.g., additional information, blogs, recommended fix, countermeasure for minimize bug impact, etc.]

Do not report errors

The following findings will not be considered for neither monetary reward nor a Hall of Fame acknowledgement:
Absent or partial SPF/DKIM/DMARC records
Absence of using HTTP Strict Transport Security (HSTS)
Absence of DNSSEC
Clickjacking on non-logon pages
Attacks requiring MITM to a user's device
Self-XSS reports
Vulnerabilities associated with 3rd party cookies
Weak Ciphers
Stolen credentials of MONETA clients
Text injection on domain without any MONETA front-end

 

Responsible disclosure guidelines

To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you, provided that you comply with the following Responsible disclosure guidelines
You will not send more than 100 requests to test rate limit (otherwise this bounty will not be rewarded)
You will not disclose the vulnerabilities found to any third party without the prior consent of MONETA
You will make a good faith effort to avoid property or non-material damage, privacy violations, destruction of data, and interruption or degradation of our services
You will not modify or access data that does not belong to you
You will not attempt to penetrate the system any further than required for the purpose of your investigation. Should you have successfully penetrated the system, you will not share this gained access with any others
You will not utilise social engineering in order to gain access to our IT systems
You will not utilise any brute-force techniques (e.g. repeatedly entering passwords) in order to gain access to the system

 

Hall of Fame only reports

Even if you find a bug which does not qualify for a monetary reward, we would still like to publicly acknowledge your effort in making our systems more secure.
Below you can see what findings qualify for a Hall of Fame record
Findings that have already been identified internally
Theoretical security issues with no practical exploit scenario
No impact bugs such as limited Information disclosure
Host header injection with no demonstrable impact
Missing rate limits
Bugs enabling denial of service attacks
SSL/TLS best practices without proof of exploitability
Login/logout cross site request forgery
Open ports which do not directly lead to a security vulnerability

 

Hall of Fame

Please report any product or service-related issues using dedicated e-mail address bugbounty@moneta.cz, using our PGP key to encrypt reports containing sensitive information