Implementing a bug bounty program

(Ross Gardiner) #1

The launch of Monzo’s developer API today made me wonder about how Monzo deals with security reports from external researchers. I couldn’t find any information on the website about reporting vulnerabilities, and it also appears that Monzo does not have a bug bounty program.

Most tech companies have bug bounties (some hosted through Bugcrowd or HackerOne), and I think they are now considered best practice in the industry. Such a program would encourage researchers to help improve Monzo’s security, as well adding a floor to the price of exploits on the black market.

(Michael) #2

I note from reading the Starling update today:

that they now have their own space at HackerOne:

As per OP, is this something Monzo have considered or will consider?

(Not a security researcher and not looking to find bugs, just curious)