Report a Vulnerability
Submit, help fixing, get kudos.
Start a Bug Bounty
Run your bounty program for free.
533,618 coordinated disclosures
288,247 fixed vulnerabilities
737 bug bounties with 1,452 websites
14,983 researchers, 1071 honor badges

Monnos Bug Bounty Program

Monnos runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of Monnos

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between Monnos and researchers.

Bug bounty program allow private submissions only.

Bug Bounty Scope

The following websites are within the scope of the program:

monnos.com

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:

Monnos Bug Bounty Program

At Monnos, we take your protection, security and privacy very seriously. We follow best practices and are confident in the security of our systems.

We are committed to protecting the privacy of our users and the personal data we receive from them, so we offer a bug reward program. We believe that this program will strengthen our security and allow us to continue offering an increasingly secure platform.

If you believe you have discovered a possible bug affecting our website and applications, please contact us. If your submission meets the requirements, we would be delighted to reward you for your time and effort.

Before reporting a security bug, please review the “Privacy Police and Monnos Terms”. By participating in the bug reward program, you agree to these terms.

https://monnos.com/en/legal/

Testing Requirements:

To ensure that submissions and payments are fair and meaningful, the following qualification guidelines and requirements must apply to all researchers who submit bug reports:

• All bugs must be new discoveries. MNS Tokens will only be offered to the first researcher to submit a specific security bug.
• The researcher must be a user of the platform and have his KYC up to date. If you are not yet a user, visit: https://www.monnos.com and download our app.
• The researcher who submits a bug cannot be a Monnos employee or ex-employee.
• The researcher who submits a bug cannot be the author of a vulnerability code.

The bugs eligible for submission are:
• Authentication bypass
• Bugs on sites operated by Monnos, such as: monnos.com
• Bugs in Monnos apps for Android and iOS
• Counterfeiting of requests between sites
• Cross-site scripting (XSS)
• Information disclosure potential
• Remote code execution
• Timely attacks proving the existence of a private repository
• The ability to circumvent security mechanisms
• The ability to circumvent trading mechanisms

Bugs not eligible for submission:
• Bugs that only affect legacy or incompatible browsers, plugins or operating systems
• Bugs on internal sites intended for Monnos (not for end customers)
• Insecure settings for non-sensitive cookies
• Previously submitted bugs
• Self-cross-site scripting
• Vulnerabilities that apply only to you and your account

Do not try:
• Attempting to submit any of the following bugs will result in permanent disqualification from the bug reward program. We do not allow actions that may negatively impact the experience of Monnos users on our sites and applications.
• Forced attacks
• Code injection in active systems
• Outage or denial of service attacks
• Any threat, attempted coercion or extortion.
• Physical attack against Monnos employees.
• Vulnerability or automated analysis on Monnos servers, such as DoS and DDoS attacks.

Possible Awards:

If you have discovered a security bug that meets the requirements and are the first qualified researcher to report it, we will be happy to reward you for your efforts. Below is the payout structure for our rewards, which is based on the severity and relevance of the bugs.

• All reports will be criticized by MONNOS experts in order to validate the level of criticality
• If approved, the amount will be made available in MNS tokens on the MONNOS Wallet;
• MONNOS 'board of directors may change the criteria at any time it deems necessary, and may even cancel it in specific cases;
• Monnos will make the resource available within 7 calendar days after the final validation.
• The awards will be due only to the first reported case, even if, in some cases it is not yet being treated, but may be in a backlog.

REWARDS:
Low - 25,00 usd in MNS Tokens (1.462,8438)
Moderate - 200,00 usd in MNS Tokens (11 702,7501)
High - 400,00 usd in MNS Tokens (23 405,5003)
Critical - 600,00 usd in MNS tokens (35 108,2504)

Special Notes:

Any questions we are available attentively at email [email protected]

Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

 
Response Time  How quickly researchers get responses to their submissions.
Remediation Time  How quickly reported submissions are fixed.
Cooperation and Respect  How fairly and respectfully researchers are being treated.

Researcher's comments

No comments so far.

  Latest Patched

 06.04.2020 onlinejobs.ph
 05.04.2020 burdastyle.ru
 05.04.2020 jalopnik.com
 05.04.2020 stickpng.com
 05.04.2020 extrabux.com
 04.04.2020 somerset.gov.uk
 04.04.2020 nhm.ac.uk
 04.04.2020 jb.man.ac.uk
 03.04.2020 businessinsider.com

  Latest Blog Posts

04.04.2020 by Rando02355205
(Alibaba) message.alibaba.com [IDOR] - [Bug Bounty]
12.03.2020 by Rando02355205
(Paypal) www.paypal.com [CSP High Level] - [XSS Reflected] - [Bug Bounty] - [Write Up]
08.03.2020 by CybeReports
JDECO.net XSS Vulnerability| CybeReports
29.02.2020 by Rando02355205
(Google) groups.google.com - [Stored XSS] - [Bug Bounty] - [WriteUp] - [24/02/2020]
10.02.2020 by 0xrocky
Stored XSS on h2biz.net

  Recent Recommendations

    3 April, 2020
     KenDennis:
Brian helped to identify an XSS Vuln on a client's wordpress implementation and was quick and helpful to respond to our query. With his notes, we were able to quickly mitigate this issue and we appreciate his help and professionalism.
    2 April, 2020
     EmanuelePisapia:
I have really appreciated this researcher for his great skill and communication. He found a cross site scripting vulnerability on our service and help us fixing it. I recommend Broly157. He's a A++ researcher
    31 March, 2020
     reinisroz:
Thanks much, anguhari, for providing detailed information about XSS bug, found on our website. Highly recommended and professional security researcher!
    31 March, 2020
     admonaut:
Many thanks for your support and assistance. Good job :-)
    31 March, 2020
     thisismeraul:
Thanks for finding this vulnerability for us. The corporate website is more secure now. Good job!