Open Bug Bounty selected among the
Top 5 Bug Bounty programs to watch
by The Hacker News

All Open Bug Bounty emails are sent only from domain being digitally signed. All others are fake. Learn more.
For security researchers
Report a Vulnerability
Submit, help fixing, get kudos.
For website owners
Start a Bug Bounty
Run your bounty program for free.
1,246,329 coordinated disclosures
899,015 fixed vulnerabilities
1,584 bug bounty programs, 3,148 websites
28,425 researchers, 1,442 honor badges

Monnos Bug Bounty Program

Monnos runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of Monnos

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between Monnos and researchers.

Bug bounty program allow private submissions only.

Bug Bounty Scope

The following websites are within the scope of the program:

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:

Monnos Bug Bounty Program

At Monnos, we take your protection, security and privacy very seriously. We follow best practices and are confident in the security of our systems.

We are committed to protecting the privacy of our users and the personal data we receive from them, so we offer a bug reward program. We believe that this program will strengthen our security and allow us to continue offering an increasingly secure platform.

If you believe you have discovered a possible bug affecting our website and applications, please contact us. If your submission meets the requirements, we would be delighted to reward you for your time and effort.

Before reporting a security bug, please review the “Privacy Police and Monnos Terms”. By participating in the bug reward program, you agree to these terms.

Testing Requirements:

To ensure that submissions and payments are fair and meaningful, the following qualification guidelines and requirements must apply to all researchers who submit bug reports:

• All bugs must be new discoveries. MNS Tokens will only be offered to the first researcher to submit a specific security bug.
• The researcher must be a user of the platform and have his KYC up to date. If you are not yet a user, visit: and download our app.
• The researcher who submits a bug cannot be a Monnos employee or ex-employee.
• The researcher who submits a bug cannot be the author of a vulnerability code.

The bugs eligible for submission are:
• Authentication bypass
• Bugs on sites operated by Monnos, such as:
• Bugs in Monnos apps for Android and iOS
• Counterfeiting of requests between sites
• Cross-site scripting (XSS)
• Information disclosure potential
• Remote code execution
• Timely attacks proving the existence of a private repository
• The ability to circumvent security mechanisms
• The ability to circumvent trading mechanisms

Bugs not eligible for submission:
• Bugs that only affect legacy or incompatible browsers, plugins or operating systems
• Bugs on internal sites intended for Monnos (not for end customers)
• Insecure settings for non-sensitive cookies
• Previously submitted bugs
• Self-cross-site scripting
• Vulnerabilities that apply only to you and your account

Do not try:
• Attempting to submit any of the following bugs will result in permanent disqualification from the bug reward program. We do not allow actions that may negatively impact the experience of Monnos users on our sites and applications.
• Forced attacks
• Code injection in active systems
• Outage or denial of service attacks
• Any threat, attempted coercion or extortion.
• Physical attack against Monnos employees.
• Vulnerability or automated analysis on Monnos servers, such as DoS and DDoS attacks.

Possible Awards:

If you have discovered a security bug that meets the requirements and are the first qualified researcher to report it, we will be happy to reward you for your efforts. Below is the payout structure for our rewards, which is based on the severity and relevance of the bugs.

• All reports will be criticized by MONNOS experts in order to validate the level of criticality
• If approved, the amount will be made available in MNS tokens on the MONNOS Wallet;
• MONNOS 'board of directors may change the criteria at any time it deems necessary, and may even cancel it in specific cases;
• Monnos will make the resource available within 7 calendar days after the final validation.
• The awards will be due only to the first reported case, even if, in some cases it is not yet being treated, but may be in a backlog.

Low - 25,00 usd in MNS Tokens
Moderate - 100,00 usd in MNS Tokens
High - 250,00 usd in MNS Tokens
Critical - 500,00 usd in MNS tokens

Special Notes:

Any questions we are available attentively at email [email protected]

Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

Response Time  Information How quickly researchers get responses to their submissions.
Remediation Time  Information How quickly reported submissions are fixed.
Cooperation and Respect  Information How fairly and respectfully researchers are being treated.

Researcher's comments

No comments so far.

  Latest Patched


  Latest Blog Posts

15.02.2022 by sepkatpro
Ultimate XSS Polyglot
11.11.2021 by mistry4592
The Most used Chrome Extensions are Used For Penetration Testing.
08.10.2021 by NNeuchi
How I Found My First Bug Reflected Xss On PIA.GOV.PH(Philippine Information Agency)
26.08.2021 by PyaePhyoThu98
eG Manager v7.1.2: Improper Access Control lead to Remote Code Execution (CVE-2020-8591)
14.07.2021 by Open Bug Bounty
Interview With Open Bug Bounty

  Recent Recommendations

@TiagoGuedesEGo1     20 June, 2022
    Twitter TiagoGuedesEGo1:
shashank_bhure made us aware of several security vulnerabilities that represented security flaws of several degrees and needed to be rectified.

It was a pleasure working with you and I hope we can work again in the future, Thank you!
@TiagoGuedesEGo1     15 June, 2022
    Twitter TiagoGuedesEGo1:
Hardik_850 made us aware of several security vulnerabilities that represented security flaws of several degrees and needed to be rectified.

It was a pleasure working with you and I hope we can work again in the future, Thank you!
@DeBuecher     3 June, 2022
    Twitter DeBuecher:
Peter was of good help
@salmankhan2016     26 May, 2022
    Twitter salmankhan2016:
thanyou security_helper5
@securityhelper5     26 May, 2022
    Twitter securityhelper5:
thank you for report