Public Responsible Vulnerability Disclosure Policy

Description

Moneytrans is a fintech company committed to promoting diversity and financial inclusion. We understand the importance of maintaining high IT security standards and appreciate the support of IT security researchers and members of cybersecurity communities in achieving this goal. If you discover an IT security vulnerability in any of our applications, we ask that you please inform us as soon as possible before making the issue public. This is called responsible disclosure, allowing us to take the necessary measures to address the problem. In this document, researchers will find all the information needed to conduct these activities in a way that can be mutually beneficial in a safe way.

Guidelines

Please note the general guidelines of this policy.

Notify us immediately after you discover a real or potential security issue.

Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.

Only use exploits to the extent necessary to confirm a vulnerability’s presence.

Give us a reasonable amount of time to resolve the issue before you publicly disclose it.

You do not intentionally compromise the privacy or safety of Moneytrans personnel or any third parties.

You do not intentionally compromise the intellectual property or other commercial or financial interests of any Moneytrans personnel, entities, or third parties.

After confirming the presence of a vulnerability or coming across sensitive data (such as personally identifiable information, financial details, or proprietary information, including trade secrets belonging to any entity), you must stop your testing, promptly notify us, and refrain from sharing this data with any other individuals or parties.

In Scope

We are making continuous significant efforts to address the issues we know about and prevent new issues from appearing. However, the ICT environment is constantly evolving, and so are the cybersecurity vulnerabilities.

Although we focus mainly on information and API security, safeguarding our customers’ data is paramount. Therefore, we’re particularly interested in receiving submissions related to the following:

  • Any unauthorised access.
  • Data leaking.
  • Being able to access any personal and/or contact information of customers not belonging to the logged-in user.
  • Access bank account number of balances not belonging to the logged-in user.
  • In general, the ability to access data that doesn’t belong to the logged-in user.
  • Account takeover attempts.
  • Issues on session management.

Vulnerability classification

The ultimate severity assessment of a vulnerability can only be ascertained after a comprehensive evaluation by the security officers and analysts.

Moneytrans employs the CVSS v3 industry standard as a foundational measure for determining the issue’s severity. Regardless of the numerical score, potential factors that heighten or mitigate risk should be considered in light of the contextual details provided.

More details about the scoring methodology can be checked out here:

Vulnerability submissions that may result in potential revenue losses are inherently contextual, particularly in cases where attackers do not directly gain financially (e.g., circumventing a payment barrier). Similarly, vulnerabilities within highly sensitive or exposed business components might entail indirect consequences, such as damage to reputation. Moneytrans could opt to reclassify a vulnerability when our business contextual factors that either lessen or intensify risk come into play.

Whenever a business impact modifier is invoked, it will be communicated transparently to the researcher. This modifier can only reduce the severity score calculated by the CVSSv3 calculator by a maximum of one category. Still, it has the potential to elevate the score to any category.

Vulnerability ratings

Severity rating

CVSS v3 score

None

0.0

Low

0.1 - 3.9

Medium

4.0 - 6.9

High

7.0 - 8.9

Critical

9.0 - 9.4

Exceptional

9.5 - 10.0

Bug kind

Severity (base)

Reflected HTML injection

Low

HTML injection in e-mails

Low

Disclosed PHP info/debug page

Low

E-mail verification bypass

Low

Open redirect without additional impact

Low

Broken link hijacking (high-traffic links)

Low

Exceptions

Some vulnerabilities may only slightly impact individual CVSS v3 metrics outlined above in a way that they do not warrant a severity upgrade. We have outlined these edge cases below so you know what severity assessment to expect:

Service Level Agreement

We will validate all submissions within the below timelines (once the Moneytrans IT Security team has verified your submission) 

*Working days: Mon-Fri, 9 am-5 pm (CET).

Severity

Max. Delay

Exceptional

Three working days

Critical

Five working days

High

Ten working days

Medium

14 working days

Low

14 working days

Domains / apps

The following domains and mobile applications are considered in the scope of this program.

www.moneytrans.eu

www.moneytrans.eu/api

Play Store : eu.moneytrans.online

App Store : 1454021645

Rules (scoping)

Domains not explicitly listed in this program's "Domains / apps" section are considered outside the scope of this bug bounty program.

Participants are strictly prohibited from performing automated scans or brute-force attempts. This includes sending multiple automated requests attempting different combinations or characters on a single endpoint. Additionally, participants are prohibited from making more than ten requests per second.

All researchers must configure their tooling (if applicable) by observing the following configuration:

Parameter Value
Request rate limit Max. 5 requests / second
User User agent MT-VlnDisclosure
Request headerX-MT-VlnDisclosure
  • Pre-auth account takeover / oauth squatting.
  • Self-XSS that cannot be used to exploit other users.
  • Verbose messages/files/directory listings without disclosing any sensitive information.
  • CORS misconfiguration on non-sensitive endpoints.
  • Missing cookie flags.
  • Missing security headers.
  • Cross-site Request Forgery with no or low impact.
  • Presence of autocomplete attribute on web forms.
  • Reverse tabnabbing.
  • Bypassing rate limits or the non-existence of rate limits.
  • Best practices violations (password complexity, expiration, re-use, etc.).
  • Clickjacking (all cases).
  • CSV Injection.
  • Host Header Injection.
  • Sessions not being invalidated (e.g. logout, enabling 2FA, including password reset ..).
  • Hyperlink injection/takeovers.
  • Mixed content type issues.
  • Cross-domain referer leakage.
  • Anything related to email spoofing, SPF, DMARC or DKIM.
  • Content injection.
  • Username / email enumeration.
  • E-mail bombing.
  • HTTP Request smuggling without any proven impact.
  • Homograph attacks.
  • XMLRPC enabled.
  • Banner grabbing / Version disclosure.
  • Open ports without an accompanying proof-of-concept demonstrating vulnerability.
  • Weak SSL configurations and SSL/TLS scan reports.
  • Not stripping metadata of images.
  • Disclosing API keys without proven impact.
  • Same-site scripting.
  • Subdomain takeover without taking over the subdomain.
  • Arbitrary file upload without proof of the existence of the uploaded file.

Mobile

  • Shared links that have been leaked through the system clipboard
  • URIs that are leaked because a malicious app has been granted permission to view opened URIs
  • Absence of certificate pinning
  • Sensitive data present in URLs or request bodies even when protected by TLS
  • Lack of obfuscation
  • Path disclosure in the binary
  • Lack of jailbreak and root detection
  • Crashes due to malformed URL schemes
  • Lack of binary protection controls (anti-debugging) and mobile SSL pinning
  • Snapshot/pasteboard leakage
  • Runtime hacking exploits (exploits that are only possible in a jailbroken environment)
  • API key leakage that is used for insensitive activities or actions
  • Excluded Activities: This program will not accept reports related to attacks requiring physical access to the victim’s device.

General

  • If Moneytrans has already identified a vulnerability reported by a participant through their tests, it will be considered a duplicate report.
  • The severity of theoretical security issues with no realistic exploit scenarios, attack surfaces, or issues requiring complex end-user interactions to be exploited may be reduced or excluded.
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Excluded Activities / not accepted:
  • Reports related to spam, social engineering, physical intrusion, DoS/DDoS attacks, or brute force attacks will not be accepted.
  • Vulnerabilities affecting non-current browsers (older than three versions) will not be eligible for a bounty.
  • Attacks that require physical access to a victim’s computer or device, man-in-the-middle attacks, or compromised user accounts will not be accepted.
  • Reports of zero-day vulnerabilities discovered within 14 days after the public release of a patch or mitigation may be accepted but are usually not eligible for a bounty.
  • Reports that indicate the software is out-of-date or vulnerable without providing proof of concept will not be accepted.

How to submit vulnerabilities

Send the vulnerability submissions to [email protected] Kindly build the Proof of Concept using the following template:

## Asset
[‍add the attack surface of this issue]

## Weakness
[add the type of the potential issue you have discovered.]

## Summary:
[add a summary of the vulnerability]

## Steps To Reproduce:
[add details for how we can reproduce the issue.]

[add step]

[add step]

[add step]

## Supporting Material/References:
[list any additional material (e.g. screenshots, logs, etc.)]

[attachment / reference]

Safe Harbor

By submitting your discoveries to Moneytrans following these rules, Moneytrans commits to refraining from undertaking legal measures against you. In the event of non-adherence to these guidelines, Moneytrans retains all legal entitlements. Should legal proceedings be instigated by a third party against you about actions carried out under this protocol, we will make efforts to publicise that your endeavours were executed following this policy.

We extend our gratitude for your assistance in upholding the safety of Moneytrans and our customer base.

Other considerations

Moneytrans offers no bounties for the vulnerabilities discovered. But it can:

  • Make public in the form of a “Hall of Fame” on our public corporate website the list of the most relevant researchers.
  • Moneytrans might, if needed, provide the researchers who request it a letter acknowledging their technical skills, code of conduct and fairness, discoveries and resolution guidelines, and/or findings whenever the vulnerabilities found are critical or exceptional. Important issues will also be considered when their solution significantly adds value to the company’s cybersecurity.

Moneytrans reserves its right to create private bug-bounty programs, for which Moneytrans will invite a selected set of researchers to conduct cybersecurity testing or ethical hacking activities to strengthen Moneytrans IT cybersecurity.

Find below an important resource to understand the new framework enabled by the Belgian authorities regarding cybersecurity vulnerability disclosure:

 

New legal framework for reporting IT vulnerabilities | Centre for Cyber Security Belgium