Finanzguru Bug-Bounty Program

Program Scope

Includes previously unknown security and privacy issues in the following products:

Qualifying Vulnerabilities

Any design or implementation issue that affects the confidentiality or integrity of customer data is likely to be in scope for the program.

Common examples include:

  • Authentication or Authorization flaws
  • Remote code execution (RCE)
  • App: insufficient security configurations

Out of Scope

  • Do NOT attempt any DoS attacks, it’s not helpful at all
  • Do NOT use any testing tools that automatically generate large volumes of traffic, this will automatically disqualify you from all bug bounties
  • Do NOT try to hack real customer accounts, keeping the privacy and security of our customers is important, use your own accounts
  • Minor UI/UX bugs - we are always happy to hear from you about things we can improve but we don’t have rewards for bugs that are not vulnerabilities
  • Vulnerabilities affecting outdated app versions or mobile platforms
  • Issues that require physical access to a victim’s computer/device
  • Missing security-related HTTP headers or DNS records which do not lead directly to a vulnerability
  • Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated
  • Previously reported issues - the first report to clearly demonstrate an issue gets the reward
  • Found oauth secrets in static app files (like strings.xml) are not critical for us. The are just used to start the auth process and doesn’t affect the confidentiality or integrity of customer data.
  • Missing SSL pinnings of static resources like banklist

IMPORTANT:

Not making a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research will automatically disqualify you from all bug bounties.

Rewards

Depends on the CVSS Score (Common Vulnerability Scoring System Version 3.1):

  • LOW (0.1-3.9) -> 2 Years FG Plus
  • MEDIUM (4.0-6.9) -> Lifetime FG Plus
  • HIGH (7.0-8.9) -> Up to €750
  • CRITICAL (9.0-10.0) -> Up to €2,000

Any rewards that are unclaimed after 2 months will be canceled.

The final reward is always chosen at the discretion of the team investigating the issue. We may decide to pay higher rewards for unusually severe security issues, pay lower rewards for vulnerabilities with a very low likelihood to occur, decide that a single report actually consists of several bugs, or that several reports are actually the same issue.

Reporting Bugs

  • Overview: Short technical description
  • Impact: Explanation of how the attack could be executed in a real world scenario
  • Proof Of Concept: Detailed steps on how to reproduce the vulnerability
  • Suggested Fix: How this vulnerability should be addressed

Report should be submitted in English or German to security@finanzguru.de. Any additional information - network data, usage examples, specs, or videos are all welcome.

Bounty Payments

Bounty payments are subject to the following restrictions:

  • All payments will be made in Euro and will comply with local laws, regulations, and ethics rules. You are responsible for the tax consequences of any bounty you receive, as determined by the laws of your country.
  • For accounting reasons, we need an invoice to initiate bounty payments.

Already Reported

  • SEC1: Missing MTA-STS Email Header