Bug Bounty Program
B
Published 06/11/2024 by
BrunoPimentelWelcome to the SuperMoney Bug Bounty Program! Our program aims to strengthen SuperMoney’s cybersecurity posture by engaging with the security community to identify and address potential vulnerabilities in our platform.
Responsible Disclosure Policy
Our policy emphasizes:
- Prompt reporting of potential security issues.
- Detailed reports with clear steps to reproduce vulnerabilities.
- Avoidance of privacy violations, data destruction, or service disruption.
- Non-disclosure of submissions without explicit permission.
- Safe harbor protection for researchers adhering to the policy.
Scope
The SuperMoney Bug Bounty Program covers all aspects of our platform, including:
- supermoney.com website;
- admin consoles;
- API endpoints.
We are interested in vulnerabilities such as injection attacks, authentication flaws, cross-site scripting, sensitive data exposure, privilege escalation, and others.
Exclusions / Out Of Scope
While we appreciate your efforts, please refrain from engaging in
- denial-of-service attacks;
- spamming, social engineering, or phishing attempts;
- physical attempts against SuperMoney property, fingerprinting on public services;
- reporting missing security headers/possibility of accessing resources using specific headers;
- UI bugs not related to security;
Reward
Bug rewards are at the discretion of SuperMoney’s InfoSec team. However, we ensure the minimum reward for eligible bugs (new, previously unidentified, verified vulnerability) is $10 USD.
For severe issues that potentially impact a large user base, higher rewards may be granted. It’s important to note that each bug qualifies for a reward only once.
| Severity | Reward |
|---|---|
| Low Issues that pose minimal risk and typically do not affect the platform’s overall security directly. Examples include minor information disclosures. | up to $50 USD |
| Medium Vulnerabilities that could potentially lead to indirect or limited impact on the platform’s operation or user data. This includes flaws like user-interaction based cross-site scripting (XSS) and limited unauthorized data access. | up to $100 USD |
| High Issues that allow significant unauthorized actions such as manipulating user data or affecting transaction integrity. Examples are CSRF attacks that alter user settings or security misconfigurations exposing sensitive user data. | up to $150 USD |
| Critical Vulnerabilities with potential for severe damage, such as those enabling full system access, significant data breaches, or substantial unauthorized access to sensitive financial data. This includes SQL injections and critical authentication flaws. | starting from $150 USD |
Get Started:
To participate in our Bug Bounty Program, follow these steps:
- Find a security issue within our platform.
- Write a report detailing the issue and steps to reproduce it. If possible, attach evidence to support your findings.
- Send your report to security@supermoney.com.
- Please allow up to 5 business days for a response before following up.
Bounty Program Rules
To ensure the smooth operation of our Bug Bounty Program, we kindly ask that you adhere to the following rules:
- Submit reports only to security@supermoney.com.
- Allow our team a reasonable amount of time to address reported vulnerabilities.
- The final decision on eligibility and reward value rests with SuperMoney’s InfoSec team.
Updated: June 11th, 2024.
Share this post: