Moneytree KK

  • $300 – $5,000 per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

25 vulnerabilities rewarded

Validation within 2 days
75% of submissions are accepted or rejected within 2 days

$750 average payout (last 3 months)

Latest hall of famers

Recently joined this program

Moneytree provides a personal finance management app that uses data aggregation to radically simplify your relationship with money. The service currently supports Japanese and Australian financial institutions and provides a Japanese & English language interface.

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.

NEW UPDATES TO OUT OF SCOPE TESTING ITEMS, PLEASE ADVISE

Reward range

Last updated

Technical severity Reward range
p1 Critical $4,000 - $5,000
p2 Severe $2,000 - $3,000
p3 Moderate $750 - $1,000
p4 Low $300 - $500
P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name Type Tags
app-staging.getmoneytree.com Website Testing
  • Website Testing
  • Ruby on Rails
  • ReactJS
  • Ruby
  • Newrelic
au-api-staging.getmoneytree.com API Testing
  • API Testing
  • HTTP
  • Ruby on Rails
  • jQuery
  • Ruby
  • Newrelic
jp-api-staging.getmoneytree.com API Testing
  • API Testing
  • HTTP
  • Ruby on Rails
  • jQuery
  • Ruby
  • Newrelic
myaccount-staging.getmoneytree.com API Testing
  • API Testing
  • HTTP
  • Ruby on Rails
  • ReactJS
  • Ruby
  • Newrelic
wwws-staging.moneytree.jp/link/ Website Testing
  • Website Testing
  • Bootstrap
  • Moment.js
  • jQuery
  • Angular
  • Modernizr
  • Amazon S3
  • Amazon Cloudfront
wwws-staging.moneytree.jp/link/mobile/ Website Testing
  • Website Testing
  • Bootstrap
  • Moment.js
  • jQuery
  • Angular
  • Modernizr
  • Amazon S3
  • Amazon Cloudfront
wwws-staging.moneytree.jp/link/mobile/#/signup?client_id=38d99a6e8e9fc87c866f5aa82bdc2569c464b2323a55e0b28f658efa678e9623&redirect_uri=https://wwws-staging.moneytree.jp/link/mobile/callback&response_type=token&scope=guest_read+accounts_read+transactions_read+request_refresh Website Testing
  • Website Testing
Moneytree staging Android Mobile Application (see below) Android
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin
Moneytree iOS Mobile Application (production; see below) iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
https://engineering-staging.getmoneytree.com 
 Website Testing
  • Website Testing
https://csv-uploader-staging.getmoneytree.com Website Testing
  • Website Testing
https://vault-staging.getmoneytree.com Website Testing
  • Website Testing

Out of scope

Target name Type
moneytree.jp Website Testing
Any production asset of Moneytree KK (excepting the iOS app) Website Testing
getmoneytree.com Website Testing

Any domain/property of Moneytree KK not listed in the targets section is out of scope. This includes any/all subdomains not listed above.


For this program, we're inviting researchers test our staging platform, divided in:

  • Devices: (a) ios and (b) android applications
    (a) https://itunes.apple.com/au/app/id586847189 (Production. Read note below!)
    (b) https://play.google.com/store/apps/details?id=jp.moneytree.moneytree (Production .apk Read note below!)

  • Webclients: (a) general, (b) partners, (c) mobile and (d) oauth
    (a) app-staging.getmoneytree.com
    (b) wwws-staging.moneytree.jp/link/
    (c) wwws-staging.moneytree.jp/link/mobile/
    (d) wwws-staging.moneytree.jp/link/mobile/#/signup?client_id=38..

  • Regional API: (a)(b) our main monolithic API (internally connects to several services)
    (a) jp-api-staging.getmoneytree.com
    (b) au-api-staging.getmoneytree.com

  • Guest Service: OAuth
    (a) myaccount-staging.getmoneytree.com

iOS is not friendly for hosting staging versions, so we shared the production link. However, while we allow the use of it to understand the navigation flow, please avoid pentesting against any domain that does not contain staging.

Access

There are no restrictions, but some rate-limits may apply.

Credentials

  • Register your free accounts with your @bugcrowdninja email.
  • You're free to upgrade your account with a Stripe testing account. Ex: 4242424242424242 (any expiration date)
  • Use the client_id provided in the scope URL to test any OAuth flow.

Test Institutions can be used to simulate linking banks, credit card, or point accounts. To get to the test financial institution, when adding an account, select 'bank', and then 'test financial institution' - which will provide you with the options for a test bank/credit card/etc. Other test institutions can be used to simulate error states.

500 Internal Errors

If you provoke any 500, we are going to receive an alert and fix it as soon as possible. Please, do not continue fuzzing after finding one of these.

Note:

Researchers must provide a fully working non-malicious proof of concept that demonstrates a valid security impact in order to qualify for rewards.

Out-of-Scope

  • No DMARC, nor SPF

  • CLIENT_ID is public. However, there are other keys that are valid testing but please note this. 
- Android App has the “allowBackup” attribute enabled (and others) specifically just for testing. 
- Do not register with another email than the Bugcrowd official one

  • Vulnerabilities that requires to physically access the mobile device and unblock it 
- Any Intercom related issues
  • Recommendations, best practices or anything without a proof of concept
  • Copy & pasted reports containing links from other customers
  • OAuth session token is not invalidated on logout or password change/reset
  • Delete account nor change password nor change email don't ask for old password
  • Server Security Misconfiguration | No Rate Limiting on Form | Login [as of 9:30 PM PT on 1/25/2018]
  • Server Security Misconfiguration | No Rate Limiting on Form | Registration [as of 9:30 PM PT on 1/25/2018]
  • Server Security Misconfiguration | No Rate Limiting on Form | Email-Triggering [as of 9:30 PM PT on 1/25/2018]

Report any data leak

We will immensely appreciate that you report all the information you reveal. Our customers deserve to be notified if their private information was shown without their consent. Please make all reports confidentially via the Bugcrowd platform.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.