Monzo launches public bug bounty program to strengthen digital security

Monzo is launching its public bug bounty program, a strategic step to bolster online security. With a keen focus on user safety, this initiative aims to identify and rectify digital vulnerabilities. This move not only highlights Monzo’s dedication to security but also promises to enhance the trust and experience of its users.

The past challenges

Prior to this initiative, Monzo relied heavily on a Intigriti hosted Vulnerability Disclosure Program (VDP), which enabled individuals to directly submit security findings to the security team. Although this method yielded some important insights, it also produced a high volume of low-quality reports. With only a highly focussed security team like Monzos, filtering through these often-unsubstantial reports proved to be extremely time-consuming.

Monzo collaborated with Intigriti to fine-tune the scope of the program and develop a comprehensive information repository for Intigriti’s triage team, ensuring prompt responses to submissions. After these preparations, Monzo shifted to a private bug bounty program.

A private bounty program is an invite-only initiative where selected researchers are rewarded for finding bugs, ensuring focused and high-quality contributions from trusted participants. Intigriti helped Monzo navigate some industry-specific challenges relating to the financial sector, such as setting up accounts and access for researchers to test in a controlled environment.

Engaging with a broader community

The private program’s success paved the way for today’s public launch, allowing Monzo to scale efforts and engage with a broader community. By opening systems to the scrutiny of a wider audience, Monzo can tap into a vast pool of knowledge and creativity. 

Objectives of the public bug bounty

Monzo’s primary goal remains unchanged: to safeguard the data of its millions of users. It understands the importance of trust in digital banking. By ensuring the security of its platform, Monzo aims to reinforce its users’ trust, ensuring they continue to rely on  the bank to manage their money and spend around the world.

The road ahead

Launching a public bug bounty program is a testament to Monzo’s commitment to cybersecurity. It’s a clear signal that it is serious about data security and transparency. By inviting ethical hackers to scrutinize its platform, Monzo ensures it remains robust against potential threats.

The team aims to offer researchers joining its public bug bounty program an excellent experience. Clear guidelines, comprehensive documentation, and responsive support channels have been established to assist researchers throughout their engagement. The dedicated security team is committed to working collaboratively with the community, providing timely feedback and recognition for contributions.

Well above average bounty rewards

Monzo has implemented a structured workflow that includes predefined reporting formats, a transparent triage system, and a fair reward structure. Given the value placed on bounty programs, Monzo has set bounties 60% above the industry average and 200% above the industry median as of publishing this post. This investment reflects Monzo's confidence in rigorous testing processes and the high level of engineering expertise at the company. The initiative underscores Monzo's dedication to maintaining the highest security standards while continually innovating to protect users.

You can find Monzo’s public bug bounty program here.