monobank passed the first external pentest – according to the results of the first Bug Bounty, which took place on December 1, accredited “white” (ethical) hackers found several “holes” in the security of the IT systems of the popular neobank. Maksym Pugach, Chief Information Officer of the Fintech Band, told Forbes about the results of the hackathon.
This is the first time in 6 years that monobank organized a program for finding vulnerabilities and allocated a fairly solid budget of UAH 1 million for it. — we told all the key details of the news on November 17, when registration started.
As the chief IT member of the monobank development team told, almost 1,000 white hats applied to participate in the vulnerability search program at monobank, but in the end only 275 specialists were selected who signed the NDA through the “Action” application – this, among other things, helped the management of the mono-Russian … Agency .
23 hackers who submitted 46 reports took an active part in the competition – the participants did not find any vulnerability of critical level (P1). Meanwhile, two high-level P2 vulnerabilities, one P3, and six lowest-level P4 bugs are reported. The maximum award amount under the program was $750 for a level 2 vulnerability found. Researchers will receive $500 for level three (P3) vulnerabilities, and $250 for P4 vulnerabilities. Interestingly, these amounts are slightly different from those listed in the original award table, but there may be nuances to the assessment of significance. At the same time, all participants paid an additional $100 each, and the total payouts under the program amounted to $6,800.
Monobank plans the next competition in a year or two, and their frequency will depend on the volume of new functions. One can only hope that such contests will make the monobank secure and resistant to possible hacker attacks in the future, such as the recent massive DDoS attack on December 12. Maybe Kyivstar should also consider restarting its own BugBounty program, given the bitter experience and mistakes of the past.
- In 2020, the Ministry of Digitization held a similar Bug Bounty marathon with a prize fund of UAH 1 million to test the Diya application – then the department stated that the state service was impenetrable to hackers and no one managed to hack Diya. However, questions arose regarding the organization of the contest due to limited access to participation.
- monobank is a card product of Fintech Band and Universal Bank. The first was founded in January 2017 by former PrivatBank top managers Oleg Horokhovskyi, Dmytro Dubilet and Mykhailo Rogalskyi. The project uses the banking license of Universal Bank, which is part of the TAS group and belongs to Ukrainian businessman Serhiy Tihipko.