At the end of autumn, the largest Ukrainian neobank held a Bug Bounty for the first time in six years. Monobank invited developers to participate in the search for vulnerabilities in the bank's application and receive compensation for this. The results of the program became known.
The first monobank hackathon lasted from November 17 to December 1, 2023 inclusive. Its results were shared by Chief Information Officer Fintech Band of the financial institution Maksym Pugach.
Almost 1,000 developers applied for the Bug Bounty program, 275 of them advanced to the next stage and signed a non-disclosure agreement (NDA) with the neobank. It is known that these contracts were signed using the “Action” mobile application – for additional protection and, in particular, to screen out Russians who tried to participate in the program.
The most active participants of the hackathon were 23 developers who made a total of 46 reports. According to the publication, no vulnerabilities of a critical level were found at all. Meanwhile, hackers found one high-level issue that could affect the security of the software and the processes it supports. It also identified two P3 vulnerabilities that require little user interaction to activate, and confirmed six of the lowest-level vulnerabilities. They may pose a risk to individual users and require interaction or significant prerequisites to run.
As reported in the neobank, they were going to pay 60,000 for the detection of these types of problems, respectively. UAH, 40 yew. UAH, 30 thousand UAH and 10 thousand UAH per unit.
According to the results of the program, monobank will pay $750 for a second-level vulnerability found, $500 for a third-level threat, and $250 for the lowest level. All hunters will receive an additional $100 incentive for participating in the program. That is, the first Bug Bounty program cost the financial institution $6.8 thousand.
The next hackathon is planned to be announced in a year or two, it will depend on the volume of new features in the application.