Bug Bounty Program

Bankera always puts the security of its clients' funds first: our Cybersecurity team is working tirelessly to spot any possible vulnerabilities in our systems. However, there is always a minimal possibility that some errors might still persist. Therefore, we decided to launch a bug bounty program which would allow our community to work hand in hand with Bankera and help in keeping our services safe, secure and high-quality.

Rewards

Bounties are distributed depending on the severity of the reported vulnerability. Bankera has not set a maximum reward for the reported bugs — if you find a critical issue on our platform, the bounty will be increased accordingly. However, to see the general picture, find the guidelines of reward distribution in the table below. The determination of the final bounty remains solely at our discretion.

  • The rewards are allocated based on:

    • Description quality
      Larger bounties may be allocated for clear and extensive bug bounty reports.

    • Proof of concept quality
      Larger bounties may be allocated if the bug report includes scripts, testing code, as well as detailed instructions.

    • Fix quality, if included
      Larger bounties may be allocated if the bug report provides suggestions on fixing the issue.

  • Bug and reward

    • Critical

      $4,000 - $15,000

    • High

      $1,000 - $4,000

    • Medium

      $200 - $1,000

    • Low

      up to $200

Only unknown and previously unreported vulnerabilities are considered for rewards.
We only reward one bounty per bug. If multiple reports are submitted for the same vulnerability, we will reward the first reporter only.
To receive a reward, there must be no legal obstacle to do so (e.g. you may not participate in this program if you are a resident or individual located within a country subject to international sanctions including but not limited to EC, FATF, US, UN.)
In any case Bankera has the discretion to determine a reported vulnerability as insignificant, including its eligibility for the reward. By submitting a bug, you agree to follow the rules above.

How to report a bug

  • Bug reports should be presented with a detailed step-by-step proof of concept that would help us reproduce and evaluate the problem. For instance, a report that explains a web-related error should contain at least:

    • HTTP requests and responses together with the affected parameters
    • Videos or screenshots (if needed)
    • Description of the browser (type), operating system, and device
    • Description of the perceived effect of the bug
    • Suggestions on how to solve the issue (if able)
  • Do not share any files and/or details related to the found bug publicly. This includes uploads to any publicly accessible platforms (i.e. YouTube, Imgur, Pastebin, etc.).

  • Encrypt the report and any necessary attachments with our PGP Public Key (available below).

  • Send your bug reports to [email protected].

If our Cybersecurity team is unable to reproduce and verify the bug, the bounty will not be paid.

Bug box
Report bug

Eligible bugs

  • Vulnerabilities found in any of Bankera services are eligible for the bug bounty program, including Bankera landing website and internet banking platform. In general, reporting bugs that could potentially result in financial loss or data breach are considered of sufficient severity to be awarded. These might include:

    • Cross-Site Request Forgery (CSRF)
    • Cross-Site Scripting (XSS)
    • Code Injection
    • Remote Code Execution
    • Privilege Escalation
    • Authentication Bypass
    • Clickjacking
    • Leakage of Sensitive Data

Ineligible bugs

  • Generally, the following issues are not considered severe enough and thus do not qualify for rewards:

    • Lack of DNSSEC
    • Host header injections without a specific and demonstrable impact
    • Flash based exploits
    • CSRF on forms that require no authentication or on non sensitive actions
    • Clickjacking on pages with no sensitive actions
    • Vulnerabilities that require Man-in-the-middle attack (MITM), or physical access to a user’s web browser, email account, smartphone and issues on rooted/jailbroken devices.

Responsible disclosure

Responsible disclosure includes but is not limited to:

  • Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.

  • Non-violation of the privacy of other users, destroying any data or disrupting our services, etc. (acting in good faith).

  • Not defrauding Bankera users (do not interact with an individual account which includes modifying or accessing data from the account) or Bankera itself in the process of discovery.

  • For exploits that need account access you must use your own account.

  • If you inadvertently access private data, we ask that you delete all related information, including but not limited to access codes, private data, etc., after notifying us.

  • If in the case of a bug you were able to access and/or move funds from Bankera, you commit to returning the whole amount to Bankera.

* To encourage responsible disclosure, we are not going to start legal action against the researchers who point out a problem provided they do their best to follow the guidelines above.

Document folder

Found any bugs?

Report bug