Bug Bounty Program

Help us keep MonxoBank secure. Earn rewards for finding and reporting security vulnerabilities.

Report a Bug View Scope

Up to $250,000

Maximum reward for critical vulnerabilities

Average payout: $2,500 | Response time: 24 hours

Reward Structure

Compensation based on vulnerability severity

Critical

$50K - $250K

Remote code execution, fund theft, complete account takeover

High

$10K - $50K

Privilege escalation, authentication bypass, sensitive data exposure

Medium

$1K - $10K

XSS, CSRF, information disclosure, business logic flaws

Low

$100 - $1K

UI/UX issues, missing security headers, rate limiting issues

Program Scope

What's in scope and what's not

In Scope

  • monxowallet.com (web application)
  • Mobile apps (iOS & Android)
  • API endpoints (api.monxowallet.com)
  • Smart contracts (audited)
  • Trading engine
  • Authentication systems
  • Payment processing
  • Card issuance system

Out of Scope

  • Third-party services
  • Denial of Service (DoS)
  • Social engineering
  • Physical attacks
  • Self-XSS
  • Missing security headers
  • Rate limiting issues
  • Spam functionality

Program Rules

Guidelines for participating researchers

Responsible Disclosure

  • Give us reasonable time to fix the issue before public disclosure (typically 90 days)
  • Make a good faith effort to avoid privacy violations, service disruption, and data destruction
  • Don't exploit a vulnerability beyond what is necessary to demonstrate it
  • Don't access or modify other users' data without explicit permission
  • Report the vulnerability to us first before sharing with third parties

Testing Guidelines

  • Only test against accounts you own or have explicit permission to test
  • Use your own funds or test funds for any financial testing
  • Don't perform any testing that could degrade our services for other users
  • Stop testing immediately if you discover a critical vulnerability

Safe Harbor

We will not pursue legal action against researchers who:

  • Follow our program rules and responsible disclosure guidelines
  • Make a good faith effort to avoid privacy violations and data destruction
  • Do not exploit vulnerabilities beyond what is necessary for demonstration
  • Report vulnerabilities to us directly

Out of Bounds

Activities that are not authorized include:

  • Any form of denial of service testing
  • Accessing or attempting to access other users' data
  • Social engineering attacks against our employees or users
  • Physical attacks against our infrastructure or personnel
  • Spam or phishing capabilities
  • Any illegal activities

How to Submit a Report

Provide detailed information for faster resolution

A good report includes:

  • Summary

    Clear description of the vulnerability

  • Steps to Reproduce

    Detailed reproduction steps with screenshots/videos

  • Impact Assessment

    Potential impact and affected users

  • Environment

    Browser, OS, app version, etc.

  • Remediation Suggestions

    Optional but appreciated recommendations

Submit your report via our secure PGP-encrypted form:

security@monxowallet.com

PGP Key: Use our PGP key (fingerprint: 8B4E 9C2A 3D5F 6B7C) for sensitive disclosures. We respond within 24 hours.

Hall of Fame

Researchers who have helped secure our platform

@security_pro

12 vulnerabilities found

$87,500 earned

@crypto_hunter

8 vulnerabilities found

$45,200 earned

@bug_bounty_king

6 vulnerabilities found

$32,800 earned