Submit bug report: https://moonpay.com@moonpay
Policy
MoonPay Bug Bounty Program
At MoonPay, we are committed to maintaining the security and privacy of our products and customers. We believe that working with the security research community through our bug bounty program is a crucial part of our overall security strategy. We are grateful for the contributions of the security community, and we look forward to working together to keep MoonPay secure.
If you have any questions about the scope of our bug bounty program or if you are unable to properly access or test the assets in scope, please contact us at security@moonpay.com.
Response Targets
MoonPay will make a best effort to meet the following SLAs for hackers participating in our program:
Type of Response SLA in business days
First Response 5 days
Time to Triage 10 days
Time to Bounty 30 days
Time to Resolution depends on severity and complexity
We will do our best to keep you informed about our progress throughout the process.
Disclosure Policy
Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the MoonPay Security team.
Program Rules
Please provide detailed reports with reproducible steps. If the report is not detailed enough to
reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
Clickjacking
Unconfirmed reports from automated vulnerability scanners
Security weaknesses with no evidence of the ability to target a remote victim. For example: HTTP Host header attack, missing rate limits, bruteforcing without demonstrating impact, etc.
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Attacks requiring a MITM or physical access to a user's device
Previously known vulnerable libraries without a working Proof of Concept
Comma Separated Values (CSV) injection without demonstrating a vulnerability
Missing best practices in SSL/TLS configuration
Arbitrary file upload
Email flooding
User enumeration
Any activity that could contribute to the disruption of our service (DoS).
Content spoofing and text injection issues
Theoretical subdomain takeovers with no supporting evidences
Missing Content Security Policy
Missing HttpOnly or Secure flags on cookies
Missing email security best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Vulnerabilities only affecting users of outdated or unpatched browsers
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application or server errors)
Tabnabbing
Self XSS
Broken links
Open redirect - unless an additional security impact can be demonstrated
Rate limit bypass through IP rotation techniques
Session invalidation issues (logout not expiring sessions)
Issues that require unlikely user interaction by the victim
Vulnerabilities on subdomains that point to third party services.
Disclosure of API keys with the prefix pk_*. These are publishable keys and are not sensitive.
Rewards
Rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard).
Reports submitted using methods that violate policy rules will not be eligible for a reward. To be eligible for a reward, the report must be for bounty eligible assets as defined in the scope section of our policy.
Multiple reports describing the same vulnerability against multiple assets or endpoints where the root cause is the same will be treated as one report. Do not submit duplicate reports for the same issue across multiple sites as the duplicates will be closed, and the issue will be treated as one report.
While we aim for consistency, previous reports and prior bounty amounts will not set a precedent for future report eligibility or severity.
Understand that there could be submissions for which we accept the risk, have other compensating controls, or will not address in the manner expected. When this happens, we will act as transparently as we can to provide you with the necessary context as to how the decision was made.
Program Eligibility
You agree and adhere to the Program Rules and Legal terms as stated in this policy.
You are the first researcher to submit a sufficiently reproducible report for a vulnerability in order to be eligible for the report to be accepted and Triaged. You are available to supply additional information, as needed by our team, to reproduce and triage the issue.
Publicly-known zero-day vulnerabilities will not be considered for eligibility until more than 30 days have passed since patch availability.
Eligibility of reports about assets that are not explicitly listed as in-scope will be reviewed on a case-by-case basis.
MoonPay employees, contractors and other personnel are not eligible for participation in this program.
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep MoonPay and our users safe!
Legal
MoonPay reserves the right to modify the terms and conditions of this program, and your participation in the Program constitutes acceptance of all terms. Please check this site regularly as we routinely update our program terms and eligibility, which are effective upon posting. You can subscribe to receive email notifications when this policy is updated.
