For the first time in six years, “monobank” held a bug bounty and issued rewards for found vulnerabilities

Author:
Oleksandra Amru
Date:

From November 17 to December 1, the largest Ukrainian digital bank “monobank”, for the first time in six years, held a bug bounty — a special program to find vulnerabilities and defects in the system with the involvement of "white" (ethical) hackers.

The director of information technologies of the IT company Fintech Band Maksym Puhach told Forbes about the results of the hackathon.

In total, about a thousand participants applied for participation in the program for finding vulnerabilities (bug bounty) in the “monobank” application. 275 people moved on to the next stage — they signed a non-disclosure agreement with the company. The signing took place through the "Diia" application, in particular in order to weed out the citizens of the aggressor country.

23 hackers who submitted 46 reports actively participated in the bug bounty. The participants did not identify critical level (P1) vulnerabilities. Regarding high-level (P2) vulnerabilities, program participants submitted two reports. Hackers also found one vulnerability of level (P3) and six confirmed vulnerabilities of the lowest level — (P4).

The largest reward that monobank will pay as a result of the bug bounty is $750 for a level 2 vulnerability found. Hackers will receive $500 for finding vulnerabilities of the third level (P3), and $250 for finding vulnerabilities of the fourth level (P4).

Also, all participants will receive an additional $100 for participating in the bug bounty — in total, “mono” will pay hackers $6 800.

The next bug bounty in “monobank” is planned to be held in a year or two.

"The choice of periodicity depends on the amount of new functions in the application," noted Maksym Puhach.