Help us make customers even safer using our banking products
That's why we ask you to help identify potential vulnerabilities.
The security of our banking services is our top priority
As MONETA, we strive for the highest standards of security to keep our customers safe. We recognize how important it is to protect customer privacy and ensure their security. Therefore, we have decided to invite all ethical hackers to help us find bugs and vulnerabilities in our environment and help us improve our security. If you have any questions or would like to submit a vulnerability, please do not hesitate to contact us at bugbounty@moneta.cz.
Our bug bounty program wouldn’t be successful without the help of our external community of researchers. Thank you. See our Hall of Fame.
MONETA Money Bank, a.s. reserves the right to cancel, pause or modify this program at any time. All engagements will be honoured to the conditions in existence at the time of verification of the issue.
Information about rewards
| Low | Medium | High | |
|---|---|---|---|
| Maximum reward | 120 EUR | 400 EUR | 2 000 EUR |
| Examples | Reflected XSS, Open Redirect | Stored XSS | SQL injection, RCE |
Let’s work on this together to keep us all safe
What errors are covered by the reward
At present, MONETA Money Bank’s bug bounty program applies to security vulnerabilities discovered in any of the following web services:
https://www.moneta.cz (no subdomains)
https://ib.moneta.cz (no subdomains)
In addition to the above-mentioned web services, MONETA Money Bank’s bug bounty program also applies to security vulnerabilities discovered in our mobile banking application Smart Banka.
We are not providing any testing accounts or environments.
For effective reporting, please follow these steps
- Send one bug per one submission at bugbounty@moneta.cz
- If possible always include at least screenshots or video to the attachment (do not upload videos to YouTube or public file sharing services)
- All PoC have to be reproducible without any special commercial tool
E-mail subject
[nameof.domain.cz (or mobile app) - type of bug - optional short clarification]
e.g.: moneta.cz - XSS reflected - parameter xyz
PoC template in body of e-mail submission
[short description of the vulnerability, name of impacted URL, IP, or app]
Detailed step-by-step manual to reproduce bug with screenshots
[commands, scripts, and codes in copy and paste format]
- First step
- Second step
- Third step
All attack scenarios and theoretical possible impacts
[you can describe some attack scenarios how bug could be used and what impact could have it]
Supporting material/references
[e.g., additional information, blogs, recommended fix, countermeasure for minimize bug impact, etc.]
Ineligible Submissions
The following findings will not be considered for neither monetary reward nor a Hall of Fame acknowledgement:
- Stolen or leaked credentials of MONETA clients
- Disclosure of known public files, directories, documents, excel sheets, etc.
- Hypothetical flaw or best practices without PoC and concrete attack scenario
- Third-party provider's software vulnerabilities
- Vulnerabilities affecting users of outdated or unpatched browsers and platforms
- Reports from automated tools or scans, such as nmap script outputs
- Use of a vulnerable or outdated library without evidence of exploitability
- Errors thrown by a web service when using an invalid request
- Technical information disclosure without impact
- Vulnerability to the Terrapin attack without a proof of exploitation
- Missing cookie security headers, such as HttpOnly and Secure
- Missing security-related HTTP headers which do not lead directly to a vulnerability
- CORS misconfiguration without an exploit that would compromise sensitive information
- Clickjacking on pages with no sensitive actions
- Self Cross-Site Scripting
- Attacks requiring MITM to a user's device
- Brute force attacks
Responsible disclosure guidelines
To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you, provided that you comply with the following Responsible disclosure guidelines
- You will not send more than 100 requests to test rate limit (otherwise this bounty will not be rewarded)
- You will not disclose the vulnerabilities found to any third party without the prior consent of MONETA
- You will make a good faith effort to avoid property or non-material damage, privacy violations, destruction of data, and interruption or degradation of our services
- You will not modify or access data that does not belong to you
- You will not attempt to penetrate the system any further than required for the purpose of your investigation. Should you have successfully penetrated the system, you will not share this gained access with any others
- You will not utilise social engineering in order to gain access to our IT systems
- You will not utilise any brute-force techniques (e.g. repeatedly entering passwords) in order to gain access to the system
Hall of Fame only reports
Even if you find a bug which does not qualify for a monetary reward, we would still like to publicly acknowledge your effort in making our systems more secure.
Below you can see what findings qualify for a Hall of Fame record
- Findings that have already been identified internally
- Design flaws that do not lead to security vulnerabilities
- Content spoofing / text injection
- Host injection without a proof of possible exploit
- Open ports without an accompanying proof-of-concept demonstrating vulnerability
- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM/DMARC)
- Insecure SSL/TLS ciphers
- Internal IP disclosure
- Missing rate limit
