Bankera always puts the security of its clients' funds first: our Cybersecurity team is working tirelessly to spot any possible vulnerabilities in our systems. However, there is always a minimal possibility that some errors might still persist. Therefore, we decided to launch a bug bounty program which would allow our community to work hand in hand with Bankera and help in keeping our services safe, secure and high-quality.
Bounties are distributed depending on the severity of the reported vulnerability. Bankera has not set a maximum reward for the reported bugs — if you find a critical issue on our platform, the bounty will be increased accordingly. However, to see the general picture, find the guidelines of reward distribution in the table below. The determination of the final bounty remains solely at our discretion.
Description quality
Larger bounties may be allocated for clear and extensive bug bounty reports.
Proof of concept quality
Larger bounties may be allocated if the bug report includes scripts, testing code, as well as detailed instructions.
Fix quality, if included
Larger bounties may be allocated if the bug report provides suggestions on fixing the issue.
Critical
$4,000 - $15,000
High
$1,000 - $4,000
Medium
$200 - $1,000
Low
up to $200
Only unknown and previously unreported vulnerabilities are considered for rewards.
We only reward one bounty per bug. If multiple reports are submitted for the same vulnerability, we will reward the first reporter only.
To receive a reward, there must be no legal obstacle to do so (e.g. you may not participate in this program if you are a resident or individual located within a country subject to international sanctions including but not limited to EC, FATF, US, UN.)
In any case Bankera has the discretion to determine a reported vulnerability as insignificant, including its eligibility for the reward. By submitting a bug, you agree to follow the rules above.
Bug reports should be presented with a detailed step-by-step proof of concept that would help us reproduce and evaluate the problem. For instance, a report that explains a web-related error should contain at least:
Do not share any files and/or details related to the found bug publicly. This includes uploads to any publicly accessible platforms (i.e. YouTube, Imgur, Pastebin, etc.).
Encrypt the report and any necessary attachments with our PGP Public Key (available below).
Send your bug reports to [email protected].
If our Cybersecurity team is unable to reproduce and verify the bug, the bounty will not be paid.
Vulnerabilities found in any of Bankera services are eligible for the bug bounty program, including Bankera landing website and internet banking platform. In general, reporting bugs that could potentially result in financial loss or data breach are considered of sufficient severity to be awarded. These might include:
Generally, the following issues are not considered severe enough and thus do not qualify for rewards:
Responsible disclosure includes but is not limited to:
Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
Non-violation of the privacy of other users, destroying any data or disrupting our services, etc. (acting in good faith).
Not defrauding Bankera users (do not interact with an individual account which includes modifying or accessing data from the account) or Bankera itself in the process of discovery.
For exploits that need account access you must use your own account.
If you inadvertently access private data, we ask that you delete all related information, including but not limited to access codes, private data, etc., after notifying us.
If in the case of a bug you were able to access and/or move funds from Bankera, you commit to returning the whole amount to Bankera.
* To encourage responsible disclosure, we are not going to start legal action against the researchers who point out a problem provided they do their best to follow the guidelines above.