Bug Bounty Program - SuperMoney

Responsible Disclosure Policy

Our policy emphasizes:

Prompt reporting of potential security issues.
Detailed reports with clear steps to reproduce vulnerabilities.
Avoidance of privacy violations, data destruction, or service disruption.
Non-disclosure of submissions without explicit permission.
Safe harbor protection for researchers adhering to the policy.

Scope

The SuperMoney Bug Bounty Program covers all aspects of our platform, including:

supermoney.com website;
admin consoles;
API endpoints;
SuperMoney App (https://www.supermoney.com/app) – Web Version and the App Store/Google Play

We are interested in vulnerabilities such as injection attacks, authentication flaws, cross-site scripting, sensitive data exposure, privilege escalation, and in-app functionalities.

Exclusions / Out Of Scope

While we appreciate your efforts, please refrain from engaging in

denial-of-service attacks;
spamming, social engineering, or phishing attempts;
physical attempts against SuperMoney property, fingerprinting on public services;
reporting missing security headers/possibility of accessing resources using specific headers;
UI bugs not related to security;

Reward

Bug rewards are at the discretion of SuperMoney’s InfoSec team. However, we ensure the minimum reward for eligible bugs (new, previously unidentified, verified vulnerability) is $10 USD.

For severe issues that potentially impact a large user base, higher rewards may be granted. It’s important to note that each bug qualifies for a reward only once.

Severity	Reward
Low Issues that pose minimal risk and typically do not affect the platform’s overall security directly. Examples include minor information disclosures.	up to $50 USD
Medium Vulnerabilities that could potentially lead to indirect or limited impact on the platform’s operation or user data. This includes flaws like user-interaction based cross-site scripting (XSS) and limited unauthorized data access.	up to $100 USD
High Issues that allow significant unauthorized actions such as manipulating user data or affecting transaction integrity. Examples are CSRF attacks that alter user settings or security misconfigurations exposing sensitive user data.	up to $150 USD
Critical Vulnerabilities with potential for severe damage, such as those enabling full system access, significant data breaches, or substantial unauthorized access to sensitive financial data. This includes SQL injections and critical authentication flaws.	starting from $150 USD

Get Started:

To participate in our Bug Bounty Program, follow these steps:

Find a security issue within our platform.
Write a report detailing the issue and steps to reproduce it. If possible, attach evidence to support your findings. Some usefull informations:
- Platform: web, iOS or Android
- Device Model and OS version (for mobile)
- Exact steps to reproduce, expected vs actual behavior, and any test accounts used.
- Relevant screenshots, screen recordings, console logs or HAR/network captures (redact any sensitive personal data)
- If the issue envolves an API endpoint, include the endpoint path, sample request/response, and timestamps where possbile
- Whether the bug affects others users, can be triggered remotely, or requires specific permissions
Send your report to security@supermoney.com.
Please allow up to 5 business days for a response before following up.

Bounty Program Rules

To ensure the smooth operation of our Bug Bounty Program, we kindly ask that you adhere to the following rules:

Submit reports only to security@supermoney.com.
Allow our team a reasonable amount of time to address reported vulnerabilities.
The final decision on eligibility and reward value rests with SuperMoney’s InfoSec team.
Do not perform attacks that intentionally disrupt service (for example, DoS) or that target real customer accounts without explicit permission — follow our Responsible Disclosure rules. Exclusions and other program rules remain in force.
Please do not disclose the vulnerability publicly until we’ve had a chance to investigate.

Updated: October 03, 2025.