Banco Plata Bug Bounty Program

Introduction

🛡️ Banco Plata

Security is a shared responsibility - and a shared passion. At Banco Plata, we believe the best way to build secure systems is to open the door to those who know how to break them.

We're proud to collaborate with: • 🧑‍💻 Ethical hackers • 🔍 Security researchers • 🛠️ Builders, breakers, and tinkerers

We invite you to: • Test our apps and systems • Report vulnerabilities

Break things safely. We will fix them fast. Protect together.

🤝 What we stand for: • Respect for the hacker mindset • Open, responsible disclosure • Fast, transparent response • Mutual trust and community-driven defense

Whether you're hunting bugs, probing systems, or helping secure the financial future - you're part of the team.

Hack for good. Help protect what matters.

Program Highlights

Open Scope: Rewards reports for all owned assets based on impact, even if not listed in scope.

Fast Payment: Ensures payment within 1 month of receiving a vulnerability report.

Gold Standard Safe Harbor: Adheres to Gold Standard Safe Harbor.

Platform Standards: Fully compliant with Platform Standards.

Coordinated Vulnerability Disclosure: Undeclared

Top Response Efficiency: This program's response efficiency is above 90%.

Managed by HackerOne: Collaboration Enabled. Includes Retesting.

Response Times:

• Average time to first response: 11 hours
• Average time to triage: 1 day, 2 hours
• Average time to bounty: 1 week, 6 days
• Average time from submission to bounty: 2 weeks, 1 day
• Average time to resolution: 2 weeks, 4 days

Rewards

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Banco Plata.

Low: $100–$200 (Avg. bounty $150)

Medium: $250–$750 (Avg. bounty $500)

High: $800–$2,500

Critical: $3,000–$5,000

Disclosure Policy

• As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.

• Follow HackerOne's disclosure guidelines.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only award the first report received (provided it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• Social engineering (e.g., phishing, vishing, smishing) is prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.

• Ask the program team before submitting vulnerabilities on unscoped subdomains.

• Only interact with accounts you own or with the explicit permission of the account holder.

Test Plan

• You can test website, systems or apps

• You can apply for a card (Mexico)

• Please use your hacker email alias when testing ([email protected])

Session Layer: HTTP Headers

Researchers should add headers to requests such as:

• "X-HackerOne-Research: [H1 username]"

Thank you for helping keep Banco Plata and our users safe!