Open Bug Bounty selected among the
Top 5 Bug Bounty programs to watch
in 2021 by The Hacker News

For security researchers
Report a Vulnerability
Submit, help fixing, get kudos.
For website owners
Start a Bug Bounty
Run your bounty program for free.
1,084,969 coordinated disclosures
662,678 fixed vulnerabilities
1,408 bug bounty programs, 2,812 websites
24,876 researchers, 1,364 honor badges

Monnos Bug Bounty Program

Monnos runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of Monnos

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between Monnos and researchers.

Bug bounty program allow private submissions only.

Bug Bounty Scope

The following websites are within the scope of the program:

monnos.com

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:

Monnos Bug Bounty Program

At Monnos, we take your protection, security and privacy very seriously. We follow best practices and are confident in the security of our systems.

We are committed to protecting the privacy of our users and the personal data we receive from them, so we offer a bug reward program. We believe that this program will strengthen our security and allow us to continue offering an increasingly secure platform.

If you believe you have discovered a possible bug affecting our website and applications, please contact us. If your submission meets the requirements, we would be delighted to reward you for your time and effort.

Before reporting a security bug, please review the “Privacy Police and Monnos Terms”. By participating in the bug reward program, you agree to these terms.

https://monnos.com/en/legal/

Testing Requirements:

To ensure that submissions and payments are fair and meaningful, the following qualification guidelines and requirements must apply to all researchers who submit bug reports:

• All bugs must be new discoveries. MNS Tokens will only be offered to the first researcher to submit a specific security bug.
• The researcher must be a user of the platform and have his KYC up to date. If you are not yet a user, visit: https://www.monnos.com and download our app.
• The researcher who submits a bug cannot be a Monnos employee or ex-employee.
• The researcher who submits a bug cannot be the author of a vulnerability code.

The bugs eligible for submission are:
• Authentication bypass
• Bugs on sites operated by Monnos, such as: monnos.com
• Bugs in Monnos apps for Android and iOS
• Counterfeiting of requests between sites
• Cross-site scripting (XSS)
• Information disclosure potential
• Remote code execution
• Timely attacks proving the existence of a private repository
• The ability to circumvent security mechanisms
• The ability to circumvent trading mechanisms

Bugs not eligible for submission:
• Bugs that only affect legacy or incompatible browsers, plugins or operating systems
• Bugs on internal sites intended for Monnos (not for end customers)
• Insecure settings for non-sensitive cookies
• Previously submitted bugs
• Self-cross-site scripting
• Vulnerabilities that apply only to you and your account

Do not try:
• Attempting to submit any of the following bugs will result in permanent disqualification from the bug reward program. We do not allow actions that may negatively impact the experience of Monnos users on our sites and applications.
• Forced attacks
• Code injection in active systems
• Outage or denial of service attacks
• Any threat, attempted coercion or extortion.
• Physical attack against Monnos employees.
• Vulnerability or automated analysis on Monnos servers, such as DoS and DDoS attacks.

Possible Awards:

If you have discovered a security bug that meets the requirements and are the first qualified researcher to report it, we will be happy to reward you for your efforts. Below is the payout structure for our rewards, which is based on the severity and relevance of the bugs.

• All reports will be criticized by MONNOS experts in order to validate the level of criticality
• If approved, the amount will be made available in MNS tokens on the MONNOS Wallet;
• MONNOS 'board of directors may change the criteria at any time it deems necessary, and may even cancel it in specific cases;
• Monnos will make the resource available within 7 calendar days after the final validation.
• The awards will be due only to the first reported case, even if, in some cases it is not yet being treated, but may be in a backlog.

REWARDS:
Low - 25,00 usd in MNS Tokens
Moderate - 100,00 usd in MNS Tokens
High - 250,00 usd in MNS Tokens
Critical - 500,00 usd in MNS tokens

Special Notes:

Any questions we are available attentively at email [email protected]

Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

 
Response Time  Information How quickly researchers get responses to their submissions.
Remediation Time  Information How quickly reported submissions are fixed.
Cooperation and Respect  Information How fairly and respectfully researchers are being treated.

Researcher's comments

No comments so far.

  Latest Patched

 28.09.2021 incapre.uapa.edu.do
 28.09.2021 regionsjob.com
 28.09.2021 motogp.com
 28.09.2021 today.line.me
 28.09.2021 thestar.com.my
 28.09.2021 dev.learn.fletc.gov
 27.09.2021 gomlab.com
 27.09.2021 dmca.com
 27.09.2021 basenotes.net

  Latest Blog Posts

26.08.2021 by PyaePhyoThu98
eG Manager v7.1.2: Improper Access Control lead to Remote Code Execution (CVE-2020-8591)
14.07.2021 by Open Bug Bounty
Interview With Open Bug Bounty
25.05.2021 by 0xrocky
Google XSS Game
25.05.2021 by ShivanshMalik12
Testing for XSS (Cross Site Scripting)
25.05.2021 by darklotuskdb
Easy XSS On Mostly Educational Websites Via Moodle

  Recent Recommendations

@GrahamMiles     25 September, 2021
    Twitter GrahamMiles:
Thank you for your contribution, you're doing a great job in helping the internet be a safer place.
@meanstest     24 September, 2021
    Twitter meanstest:
Thanks for the detailed report and helping us zero in and fix this problem quickly!
@industryarena     16 September, 2021
    Twitter industryarena:
Thank you for detailed reporting of the XSS issue.
We were able to fix the problem with help of LuCkYtRaCeR.
@tophouse_ru     13 September, 2021
    Twitter tophouse_ru:
Thanks for your help!
@Gordi_OldGames     10 September, 2021
    Twitter Gordi_OldGames:
Thank you very much for reporting a vulnerability in our website!