The launch of Monzo’s developer API today made me wonder about how Monzo deals with security reports from external researchers. I couldn’t find any information on the website about reporting vulnerabilities, and it also appears that Monzo does not have a bug bounty program.
Most tech companies have bug bounties (some hosted through Bugcrowd or HackerOne), and I think they are now considered best practice in the industry. Such a program would encourage researchers to help improve Monzo’s security, as well adding a floor to the price of exploits on the black market.