Skip to content
SuperMoney logo
SuperMoney logo

Bug Bounty Program

Published 06/11/2024 by

BrunoPimentel
Welcome to the SuperMoney Bug Bounty Program! Our program aims to strengthen SuperMoney’s cybersecurity posture by engaging with the security community to identify and address potential vulnerabilities in our platform.

Responsible Disclosure Policy

Our policy emphasizes:
  • Prompt reporting of potential security issues.
  • Detailed reports with clear steps to reproduce vulnerabilities.
  • Avoidance of privacy violations, data destruction, or service disruption.
  • Non-disclosure of submissions without explicit permission.
  • Safe harbor protection for researchers adhering to the policy.

Scope

The SuperMoney Bug Bounty Program covers all aspects of our platform, including:
  • supermoney.com website;
  • admin consoles;
  • API endpoints.
We are interested in vulnerabilities such as injection attacks, authentication flaws, cross-site scripting, sensitive data exposure, privilege escalation, and others.

Exclusions / Out Of Scope

While we appreciate your efforts, please refrain from engaging in
  • denial-of-service attacks;
  • spamming, social engineering, or phishing attempts;
  • physical attempts against SuperMoney property, fingerprinting on public services;
  • reporting missing security headers/possibility of accessing resources using specific headers;
  • UI bugs not related to security;

Reward

Bug rewards are at the discretion of SuperMoney’s InfoSec team. However, we ensure the minimum reward for eligible bugs (new, previously unidentified, verified vulnerability) is $10 USD.
For severe issues that potentially impact a large user base, higher rewards may be granted. It’s important to note that each bug qualifies for a reward only once.
SeverityReward
Low
Issues that pose minimal risk and typically do not affect the platform’s overall security directly. Examples include minor information disclosures.
up to $50 USD
Medium
Vulnerabilities that could potentially lead to indirect or limited impact on the platform’s operation or user data. This includes flaws like user-interaction based cross-site scripting (XSS) and limited unauthorized data access.
up to $100 USD
High
Issues that allow significant unauthorized actions such as manipulating user data or affecting transaction integrity. Examples are CSRF attacks that alter user settings or security misconfigurations exposing sensitive user data.
up to $150 USD
Critical
Vulnerabilities with potential for severe damage, such as those enabling full system access, significant data breaches, or substantial unauthorized access to sensitive financial data. This includes SQL injections and critical authentication flaws.
starting from $150 USD

Share this post:

You might also like