Details

#Modern Treasury Bug Bounty Policy

Modern Treasury looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe. This policy (“Policy”) governs your participation in our bug bounty program (“Program”). By submitting any vulnerabilities to Modern Treasury or otherwise participating in the Program, you agree to this Policy.

Modern Treasury may modify this Policy from time to time, to please check this site regularly. Modifications are effective on posting. You can subscribe to receive email notifications when this Policy is updated.

#Participant Eligibility To participate in our Program, you must be at least 18 years old. Modern Treasury employees and contractors (and their family members) are not eligible to participate directly or indirectly in our Program or to share information about our products or vulnerabilities with participants. You may not participate in the Program if: (a) you are a resident of any U.S. embargoed jurisdiction, including, but not limited to, Iran, North Korea, Cuba, the Crimea region, and Syria or (b) you are on the U.S. Treasury Department's list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List. By participating in the Program, you represent and warrant that you are not located in any such country or on any such list. Eligible Assets - Important

You must perform testing using @WeAreHackerOne.com emails, to allow Modern Treasury to track security research activity.
Perform testing only in sandbox mode (after login, ensure the left hand panel says “Viewing Sandbox mode”) and only accounts that are your own personal/test accounts (“Eligible Assets”).
You may not perform testing of any other Modern Treasury systems or assets.

#Rewards

Rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard)
All bounty amounts will be at the discretion of the Modern Treasury Bug Bounty team.
Reports submitted using methods that violate this Policy will not be eligible for a reward.
To be eligible for a reward, the report must be for Eligible Assets.
Multiple reports describing the same vulnerability against multiple assets or endpoints where the root cause is the same will be treated as one report. Do not submit duplicate reports for the same issue across multiple sites as the duplicates will be closed, and the issue will be treated as one report.
While we aim for consistency, previous reports and prior bounty amounts will not set a precedent for future report eligibility or severity.
Understand that there could be submissions for which we accept the risk, have other compensating controls, or will not address in the manner expected. When this happens, we will act as transparently as we can to provide you with the necessary context as to how the decision was made.

Reporting Best Practices

When reporting issues, especially if permissions are involved, please include a breakdown of:
- The users involved, and their roles and permissions
- The accounts and objects being set up before the vulnerability, and what users have which permissions for each
- The actual malicious flow that's being called, specifying affected objects and users involved, AND why it isn't a valid flow, i.e.

Admin user has admin access to the organization Invited user has per account access to account 1 Admin account creates account 1,2,3, invited user has access to only account 1 Invited user makes an API call to create a payment from account 3 to account 1 successsfuly This is an invalid flow because invited user only has access to account 1, and should not be able to make a payment from account 3

* This will expedite triage, verification, and awarding

#Program Conduct
* You agree and adhere to this Policy.
* You are the first to submit a sufficiently reproducible report for a vulnerability in order to be eligible for the report to be accepted and triaged.
* You are available to supply additional information, as needed by our team, to reproduce and triage the issue.
* Publically-known zero-day vulnerabilities will not be considered for eligibility until more than 30 days have passed since patch availability.
* Out-of-scope vulnerability reports or reports that are technically reproducible but pose a very low security impact are likely to be closed as Informative.


#Key Targets 
These are endpoints and actions that are critical and will warrant an increased bounty
* Any non-public administration or debugging endpoints
* "Modern Treasury" organization in production
* Authorization issues, ig. any lateral movement between organizations


#Program Rules
*Do*
* Read and abide by this program Policy.
* Only test Eligible Assets.
* Exercise caution when testing to avoid negative impact to customers and the services they depend on. 
* STOP testing if you are unsure about the impact it may have on our systems. If you think you may cause, or have caused, damage with testing a vulnerability, report your initial finding(s) and request authorization to continue testing.

*Do NOT:*
* Do not attempt to use Modern Treasury’s products to move money, access any bank accounts, or connect to any bank accounts.
* Do not access Modern Treasury system or assets other than the Eligible Assets identified in this Policy.
* Do not violate any laws or regulations.
* Do not brute force credentials or guess credentials to gain access to systems.
* Do not participate in denial of service attacks.
* Do not upload shells or create a backdoor of any kind.
* Do not engage in any form of social engineering of Modern Treasury employees, customers, or vendors.
* Do not engage or target any Modern Treasury employee, customer, or vendor during your testing.
* Do not attempt to access or interact with other users’ accounts or extract, download, or otherwise exfiltrate data other than your own.
* Do not access non-public information without authorization
* Do not change passwords of any account that is not yours. If ever prompted to change a password of an account you did not register yourself or an account that was not provided to you, stop and report the finding immediately.
* Do not do anything that would be considered a privacy violation, cause destruction of data, or interrupt or degrade our service.
* Do not attempt to extort or threaten Modern Treasury or make any ransom requests.


#Disclosure Policies
You may not disclose your submissions, findings, communications with Modern Treasury related to the Program, any vulnerabilities (even invalid and resolved ones) or anything you learned about Modern Treasury through the Program without our express written consent. 


#Legal Terms
* By reporting a vulnerability, you grant Modern Treasury and its affiliates a perpetual, irrevocable, worldwide, royalty-free license to use, copy, adapt, develop, create derivative work from, or share your submission for any purpose. You waive all claims, including breach of contract or implied-in-fact contract, arising out of your submission.


#Out of scope vulnerabilities
Modern Treasury reserves the right to add to and subtract from the below list depending on the evaluated severity of reported vulnerabilities and risk acceptance.
* Payment orders not checking for the permissions of the receiving account (permissions are only checked on the originating account)
* AccountGroups permissions checks missing (AccountGroups are just a grouping of accounts for a view, and not sensitive within an organization)
* Foreign exchange quote requests allowed without authorization check (Foreign exchange quote requests in Sandbox are allowed for any Internal Account)
* Missing export url authorization check (Export url access is only limited by login and organization, anyone in the org with the URL can view and download the export)
* InternalAccount permissions not applying to other permissions (InternalAccount permissions only apply to direct CRUD interactions with InternalAccount, not other interactions like Payment Orders)
* Clickjacking on pages with no sensitive actions
* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
* Attacks requiring MITM or physical access to a user's device
* Previously known vulnerable libraries without a working Proof of Concept
* Comma Separated Values (CSV) injection without demonstrating a vulnerability
* Missing best practices in SSL/TLS configuration
* Any activity that could lead to the disruption of our service (DoS).
* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
* Any activity that could lead to the disruption of our service (DoS), including but not limited to, inundating support services with invalid requests
* Bruteforce oracle attacks against unauthenticated endpoints
* Missing best practices in Content Security Policy
* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application or server errors)
* Tabnabbing
* Issues that require unlikely user interaction by the victim
* Self-XSS
* Social engineering
* Unconfirmed vulnerabilities from automated vulnerability scanners
* Homoglyph phishing attacks / domain registration
* Best practices concerns
* Issues that depend on unpatched or outdated browsers or mobile platforms
* EXIF metadata not stripped from uploaded images



#Accountability
Modern Treasury reserves the right to terminate your participation in the Program if you violate this Policy, including without limitation the Disclosure Policies. 


# Known Issues
Known Issues include, but not limited to, are listed below. They will not be eligible for bounties:
* Instability after running Reset Sandbox
* User session id does not change after login
* Failure to invalidate session during email verification (sign up + oauth)
* DNSSEC not implemented.
* X-Forwarded-Host and X-Forwarded-Scheme redirection
* Missing Audit Trails log when user changes the password


#FAQs
1. Can I get Modern Treasury swag?
*Modern Treasury does not currently offer swag*

2. Can Modern Treasury provide me with a pre-configured test account?
*This Program does not provide credentials or any special access*

3. [What is required when submitting a report](https://docs.hackerone.com/hackers/submitting-reports.html)?

4. [How do I make my report great?](https://docs.hackerone.com/hackers/quality-reports.html)

5. [I submitted a report. Now what? I have questions.](https://www.hackerone.com/blog/how-bug-bounty-reports-work)

6. [What causes a report to be closed as Informative, Duplicate, N/A, or Spam?](https://docs.hackerone.com/hackers/report-states.html)

7. What is an example of an accepted vulnerability?
*Valid and accepted vulnerabilities would be the type of report that identifies a unique security impact on this program’s specific scope. The report must also meet any submission criteria outlined in the policy, such as test plan instructions and a working proof of concept.*

When reporting issues, especially if permissions are involved, please include a breakdown of:

The users involved, and their roles and permissions
The accounts and objects being set up before the vulnerability, and what users have which permissions for each
The actual malicious flow that's being called, specifying affected objects and users involved, AND why it isn't a valid flow, i.e.

* This will expedite triage, verification, and awarding #Program Conduct * You agree and adhere to this Policy. * You are the first to submit a sufficiently reproducible report for a vulnerability in order to be eligible for the report to be accepted and triaged. * You are available to supply additional information, as needed by our team, to reproduce and triage the issue. * Publically-known zero-day vulnerabilities will not be considered for eligibility until more than 30 days have passed since patch availability. * Out-of-scope vulnerability reports or reports that are technically reproducible but pose a very low security impact are likely to be closed as Informative. #Key Targets  These are endpoints and actions that are critical and will warrant an increased bounty * Any non-public administration or debugging endpoints * "Modern Treasury" organization in production * Authorization issues, ig. any lateral movement between organizations #Program Rules *Do* * Read and abide by this program Policy. * Only test Eligible Assets. * Exercise caution when testing to avoid negative impact to customers and the services they depend on. * STOP testing if you are unsure about the impact it may have on our systems. If you think you may cause, or have caused, damage with testing a vulnerability, report your initial finding(s) and request authorization to continue testing. *Do NOT:* * Do not attempt to use Modern Treasury’s products to move money, access any bank accounts, or connect to any bank accounts. * Do not access Modern Treasury system or assets other than the Eligible Assets identified in this Policy. * Do not violate any laws or regulations. * Do not brute force credentials or guess credentials to gain access to systems. * Do not participate in denial of service attacks. * Do not upload shells or create a backdoor of any kind. * Do not engage in any form of social engineering of Modern Treasury employees, customers, or vendors. * Do not engage or target any Modern Treasury employee, customer, or vendor during your testing. * Do not attempt to access or interact with other users’ accounts or extract, download, or otherwise exfiltrate data other than your own. * Do not access non-public information without authorization * Do not change passwords of any account that is not yours. If ever prompted to change a password of an account you did not register yourself or an account that was not provided to you, stop and report the finding immediately. * Do not do anything that would be considered a privacy violation, cause destruction of data, or interrupt or degrade our service. * Do not attempt to extort or threaten Modern Treasury or make any ransom requests. #Disclosure Policies You may not disclose your submissions, findings, communications with Modern Treasury related to the Program, any vulnerabilities (even invalid and resolved ones) or anything you learned about Modern Treasury through the Program without our express written consent. #Legal Terms * By reporting a vulnerability, you grant Modern Treasury and its affiliates a perpetual, irrevocable, worldwide, royalty-free license to use, copy, adapt, develop, create derivative work from, or share your submission for any purpose. You waive all claims, including breach of contract or implied-in-fact contract, arising out of your submission. #Out of scope vulnerabilities Modern Treasury reserves the right to add to and subtract from the below list depending on the evaluated severity of reported vulnerabilities and risk acceptance. * Payment orders not checking for the permissions of the receiving account (permissions are only checked on the originating account) * AccountGroups permissions checks missing (AccountGroups are just a grouping of accounts for a view, and not sensitive within an organization) * Foreign exchange quote requests allowed without authorization check (Foreign exchange quote requests in Sandbox are allowed for any Internal Account) * Missing export url authorization check (Export url access is only limited by login and organization, anyone in the org with the URL can view and download the export) * InternalAccount permissions not applying to other permissions (InternalAccount permissions only apply to direct CRUD interactions with InternalAccount, not other interactions like Payment Orders) * Clickjacking on pages with no sensitive actions * Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions * Attacks requiring MITM or physical access to a user's device * Previously known vulnerable libraries without a working Proof of Concept * Comma Separated Values (CSV) injection without demonstrating a vulnerability * Missing best practices in SSL/TLS configuration * Any activity that could lead to the disruption of our service (DoS). * Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS * Any activity that could lead to the disruption of our service (DoS), including but not limited to, inundating support services with invalid requests * Bruteforce oracle attacks against unauthenticated endpoints * Missing best practices in Content Security Policy * Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version] * Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application or server errors) * Tabnabbing * Issues that require unlikely user interaction by the victim * Self-XSS * Social engineering * Unconfirmed vulnerabilities from automated vulnerability scanners * Homoglyph phishing attacks / domain registration * Best practices concerns * Issues that depend on unpatched or outdated browsers or mobile platforms * EXIF metadata not stripped from uploaded images #Accountability Modern Treasury reserves the right to terminate your participation in the Program if you violate this Policy, including without limitation the Disclosure Policies. # Known Issues Known Issues include, but not limited to, are listed below. They will not be eligible for bounties: * Instability after running Reset Sandbox * User session id does not change after login * Failure to invalidate session during email verification (sign up + oauth) * DNSSEC not implemented. * X-Forwarded-Host and X-Forwarded-Scheme redirection * Missing Audit Trails log when user changes the password #FAQs 1. Can I get Modern Treasury swag? *Modern Treasury does not currently offer swag* 2. Can Modern Treasury provide me with a pre-configured test account? *This Program does not provide credentials or any special access* 3. [What is required when submitting a report](https://docs.hackerone.com/hackers/submitting-reports.html)? 4. [How do I make my report great?](https://docs.hackerone.com/hackers/quality-reports.html) 5. [I submitted a report. Now what? I have questions.](https://www.hackerone.com/blog/how-bug-bounty-reports-work) 6. [What causes a report to be closed as Informative, Duplicate, N/A, or Spam?](https://docs.hackerone.com/hackers/report-states.html) 7. What is an example of an accepted vulnerability? *Valid and accepted vulnerabilities would be the type of report that identifies a unique security impact on this program’s specific scope. The report must also meet any submission criteria outlined in the policy, such as test plan instructions and a working proof of concept.*