moneybox-bug-bounty

YesWeHackView on YesWeHack

RawAI Enhanced

6

In Scope

1

Out of Scope

In-Scope Assets (6)

Asset	Category	Bounty	Quick Links
https://admin-roundups.moneyboxapp.org	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
https://admin.moneyboxapp.org	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
https://api.moneyboxapp.com	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
https://apps.apple.com/gb/app/moneybox-save-and-invest/id1049797239	IOS	Yes	-
https://play.google.com/store/apps/details?id=com.moneyboxapp	ANDROID	Yes	Play Store APKPure APKMirror
https://sycamore.moneyboxapp.org	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa

Out-of-Scope Assets (1)

Asset	Category	Bounty
All domains or subdomains not listed in the above list of 'Scopes'	OTHER	Yes

Scope Changes (47)

Apr 22, 2026

Change	Asset	Category	Scope	Time
Added	https://api.moneyboxapp.com	URL	In Scope	16:21
Removed	the moneybox public website https://www.moneyboxapp.com/ and other moneyboxapp.com / moneyboxapp.org domains not listed are out of scope	OTHER	Out of Scope	16:21
Added	https://api.moneyboxapp.com	URL	In Scope	16:21
Added	https://admin.moneyboxapp.org	URL	In Scope	16:21
Added	https://admin-roundups.moneyboxapp.org	URL	In Scope	16:21
Added	https://sycamore.moneyboxapp.org	URL	In Scope	16:21
Added	all domains or subdomains not listed in the above list of 'scopes'	OTHER	Out of Scope	16:21
Removed	https://api.moneyboxapp.com/	URL	In Scope	16:21
Removed	https://admin.moneyboxapp.org/	URL	In Scope	16:21
Removed	content served by the cloudflare access service (https://moneyboxapp.cloudflareaccess.com/*) is out of scope. these pages intentionally do not set a cors allow-origin policy. we have seen this reported several times as a vulnerability, but it is intended behaviour and is considered out of scope	OTHER	Out of Scope	16:21
Removed	https://admin-roundups.moneyboxapp.org/	URL	In Scope	16:21
Removed	security concerns originating from https://moneyboxapp.onelogin.com/ are typically considered out of scope. these pages and their content are served by onelogin, and any issues should be reported to them directly. however, if an exploit explicitly enables bypassing onelogin to access moneybox systems or leaking moneybox sensitive data, it is crucial to raise the concerns to both onelogin and moneybox	OTHER	Out of Scope	16:21
Removed	https://sycamore.moneyboxapp.org/	URL	In Scope	16:21
Added	https://admin.moneyboxapp.org	URL	In Scope	16:21
Added	https://admin-roundups.moneyboxapp.org	URL	In Scope	16:21
Added	https://sycamore.moneyboxapp.org	URL	In Scope	16:21
Added	all domains or subdomains not listed in the above list of 'scopes'	OTHER	Out of Scope	16:21

Feb 25, 2026

Change	Asset	Category	Scope	Time
Added	content served by the cloudflare access service (https://moneyboxapp.cloudflareaccess.com/*) is out of scope. these pages intentionally do not set a cors allow-origin policy. we have seen this reported several times as a vulnerability, but it is intended behaviour and is considered out of scope	OTHER	Out of Scope	19:09
Added	https://play.google.com/store/apps/details?id=com.moneyboxapp	ANDROID	In Scope	19:09
Added	https://sycamore.moneyboxapp.org/	URL	In Scope	19:09
Added	the moneybox public website https://www.moneyboxapp.com/ and other moneyboxapp.com / moneyboxapp.org domains not listed are out of scope	OTHER	Out of Scope	19:09
Added	https://api.moneyboxapp.com/	URL	In Scope	19:09
Added	https://admin.moneyboxapp.org/	URL	In Scope	19:09
Added	https://apps.apple.com/gb/app/moneybox-save-and-invest/id1049797239	IOS	In Scope	19:09
Added	security concerns originating from https://moneyboxapp.onelogin.com/ are typically considered out of scope. these pages and their content are served by onelogin, and any issues should be reported to them directly. however, if an exploit explicitly enables bypassing onelogin to access moneybox systems or leaking moneybox sensitive data, it is crucial to raise the concerns to both onelogin and moneybox	OTHER	Out of Scope	19:09
Added	https://admin-roundups.moneyboxapp.org/	URL	In Scope	19:09

Feb 22, 2026

Change	Asset	Category	Scope	Time
Added	https://admin.moneyboxapp.org/	URL	In Scope	00:52
Added	https://admin-roundups.moneyboxapp.org/	URL	In Scope	00:52
Added	https://play.google.com/store/apps/details?id=com.moneyboxapp	ANDROID	In Scope	00:52
Added	https://sycamore.moneyboxapp.org/	URL	In Scope	00:52
Added	the moneybox public website https://www.moneyboxapp.com/ and other moneyboxapp.com / moneyboxapp.org domains not listed are out of scope	OTHER	Out of Scope	00:52
Added	content served by the cloudflare access service (https://moneyboxapp.cloudflareaccess.com/*) is out of scope. these pages intentionally do not set a cors allow-origin policy. we have seen this reported several times as a vulnerability, but it is intended behaviour and is considered out of scope	OTHER	Out of Scope	00:52
Added	security concerns originating from https://moneyboxapp.onelogin.com/ are typically considered out of scope. these pages and their content are served by onelogin, and any issues should be reported to them directly. however, if an exploit explicitly enables bypassing onelogin to access moneybox systems or leaking moneybox sensitive data, it is crucial to raise the concerns to both onelogin and moneybox	OTHER	Out of Scope	00:52
Added	https://api.moneyboxapp.com/	URL	In Scope	00:52
Added	https://apps.apple.com/gb/app/moneybox-save-and-invest/id1049797239	IOS	In Scope	00:52

Feb 21, 2026

Change	Asset	Category	Scope	Time
Removed	https://api.moneyboxapp.com/	URL	In Scope	21:40
Removed	https://admin.moneyboxapp.org/	URL	In Scope	21:40
Removed	https://admin-roundups.moneyboxapp.org/	URL	In Scope	21:40
Removed	https://apps.apple.com/gb/app/moneybox-save-and-invest/id1049797239	IOS	In Scope	21:40
Removed	https://play.google.com/store/apps/details?id=com.moneyboxapp	ANDROID	In Scope	21:40
Removed	https://sycamore.moneyboxapp.org/	URL	In Scope	21:40
Removed	the moneybox public website https://www.moneyboxapp.com/ and other moneyboxapp.com / moneyboxapp.org domains not listed are out of scope	OTHER	Out of Scope	21:40
Removed	content served by the cloudflare access service (https://moneyboxapp.cloudflareaccess.com/*) is out of scope. these pages intentionally do not set a cors allow-origin policy. we have seen this reported several times as a vulnerability, but it is intended behaviour and is considered out of scope	OTHER	Out of Scope	21:40
Removed	security concerns originating from https://moneyboxapp.onelogin.com/ are typically considered out of scope. these pages and their content are served by onelogin, and any issues should be reported to them directly. however, if an exploit explicitly enables bypassing onelogin to access moneybox systems or leaking moneybox sensitive data, it is crucial to raise the concerns to both onelogin and moneybox	OTHER	Out of Scope	21:40
Added	content served by the cloudflare access service (https://moneyboxapp.cloudflareaccess.com/*) is out of scope. these pages intentionally do not set a cors allow-origin policy. we have seen this reported several times as a vulnerability, but it is intended behaviour and is considered out of scope	OTHER	Out of Scope	00:33
Added	security concerns originating from https://moneyboxapp.onelogin.com/ are typically considered out of scope. these pages and their content are served by onelogin, and any issues should be reported to them directly. however, if an exploit explicitly enables bypassing onelogin to access moneybox systems or leaking moneybox sensitive data, it is crucial to raise the concerns to both onelogin and moneybox	OTHER	Out of Scope	00:33
Added	the moneybox public website https://www.moneyboxapp.com/ and other moneyboxapp.com / moneyboxapp.org domains not listed are out of scope	OTHER	Out of Scope	00:33