Bug Bounty Program

Help us make customers even safer
using our banking products

It is possible that despite strict controls on our banking applications, an error may occur.
That's why we ask you to help identify potential vulnerabilities.

The security of our banking services is our top priority

Despite our continuous effort, vulnerabilities in our systems can still be present. We actively encourage anyone who believes they have discovered a vulnerability in our systems to act immediately to help us improve and strengthen the safety of our online presence.

As MONETA, we strive for the highest standards of security to keep our customers safe. We recognize how important it is to protect customer privacy and ensure their security. Therefore, we have decided to invite all ethical hackers to help us find bugs and vulnerabilities in our environment and help us improve our security. If you have any questions or would like to submit a vulnerability, please do not hesitate to contact us at bugbounty@moneta.cz.

Our bug bounty program wouldn’t be successful without the help of our external community of researchers. Thank you. See our Hall of Fame.

MONETA Money Bank, a.s. reserves the right to cancel, pause or modify this program at any time. All engagements will be honoured to the conditions in existence at the time of verification of the issue.

Information about rewards

In general, we are interested in receiving reports with vulnerabilities which could lead to data leakage or compromise the confidentiality or integrity of our data which affects user privacy. The reward for the reported findings is determined individually, depending on the severity and quality of the PoC as well as other criteria. However, the maximum rewards for each type of vulnerability are as follows:

Low

Medium

High

Maximum reward
120 EUR
400 EUR
2 000 EUR
Examples
Reflected XSS, Open Redirect
Stored XSS
SQL injection, RCE
Multiple bugs of the same type (same or similar technologies) found in short period of time (10 working days at maximum) could be evaluated from second submission with reduced reward. Reward will be paid via a wire transfer to your bank account in Euros (EUR). Other payment methods, like cryptocurrencies or PayPal, are not supported. We are following sanctions and restrictive measures, up-to-date information can be found here.

Let’s work on this together to keep us all safe

Together we can get it right

What errors are covered by the reward

At present, MONETA Money Bank’s bug bounty program applies to security vulnerabilities discovered in any of the following web services:
https://www.moneta.cz (no subdomains)
https://ib.moneta.cz (no subdomains)

In addition to the above-mentioned web services, MONETA Money Bank’s bug bounty program also applies to security vulnerabilities discovered in our mobile banking application Smart Banka.

We are not providing any testing accounts or environments.

For effective reporting, please follow these steps

  • Send one bug per one submission at bugbounty@moneta.cz
  • If possible always include at least screenshots or video to the attachment (do not upload videos to YouTube or public file sharing services)
  • All PoC have to be reproducible without any special commercial tool

E-mail subject
[nameof.domain.cz (or mobile app) - type of bug - optional short clarification]
e.g.: moneta.cz - XSS reflected - parameter xyz

PoC template in body of e-mail submission
[short description of the vulnerability, name of impacted URL, IP, or app]

Detailed step-by-step manual to reproduce bug with screenshots
[commands, scripts, and codes in copy and paste format]

  1. First step
  2. Second step
  3. Third step

All attack scenarios and theoretical possible impacts
[you can describe some attack scenarios how bug could be used and what impact could have it]

Supporting material/references
[e.g., additional information, blogs, recommended fix, countermeasure for minimize bug impact, etc.]

Do not report errors

The following findings will not be considered for neither monetary reward nor a Hall of Fame acknowledgement:

  • Absent or partial SPF/DKIM/DMARC records
  • Absence of using HTTP Strict Transport Security (HSTS)
  • Absence of DNSSEC
  • Clickjacking on non-logon pages
  • Attacks requiring MITM to a user's device
  • Self-XSS reports
  • Vulnerabilities associated with 3rd party cookies
  • Weak Ciphers
  • Stolen credentials of MONETA clients
  • Text injection on domain without any MONETA front-end

Responsible disclosure guidelines

To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you, provided that you comply with the following Responsible disclosure guidelines

  • You will not send more than 100 requests to test rate limit (otherwise this bounty will not be rewarded)
  • You will not disclose the vulnerabilities found to any third party without the prior consent of MONETA
  • You will make a good faith effort to avoid property or non-material damage, privacy violations, destruction of data, and interruption or degradation of our services
  • You will not modify or access data that does not belong to you
  • You will not attempt to penetrate the system any further than required for the purpose of your investigation. Should you have successfully penetrated the system, you will not share this gained access with any others
  • You will not utilise social engineering in order to gain access to our IT systems
  • You will not utilise any brute-force techniques (e.g. repeatedly entering passwords) in order to gain access to the system

Hall of Fame only reports

Even if you find a bug which does not qualify for a monetary reward, we would still like to publicly acknowledge your effort in making our systems more secure.
Below you can see what findings qualify for a Hall of Fame record

  • Findings that have already been identified internally
  • Theoretical security issues with no practical exploit scenario
  • No impact bugs such as limited Information disclosure
  • Host header injection with no demonstrable impact
  • Missing rate limits
  • Bugs enabling denial of service attacks
  • SSL/TLS best practices without proof of exploitability
  • Login/logout cross site request forgery
  • Open ports which do not directly lead to a security vulnerability

Report any product or service-related issues

Please report any product or service-related issues using dedicated e-mail address, using our PGP key to encrypt reports containing sensitive information.

Jedna apka,
celá banka

S mobilní aplikací Smart Banka máte celou banku v kapse. Obsahuje přes 200 funkcí, 41 produktů a najdete v ní všechny výhodné nabídky. I proto je nejoceňovanější bankovní apkou na trhu.
logo - Moneta

Smart Banka je nejoceňovanější aplikací klienty i odbornou veřejností a je k dispozici na všech zařízeních iOS nebo Android.

hodnocení klienty 4,8/5 ocenění Zlatá koruna - novinka roku 2023 VISA logo