moneybox-bug-bounty
6
In Scope
3
Out of Scope
In-Scope Assets (6)
| Asset | Category | Bounty | Quick Links | |
|---|---|---|---|---|
| https://admin-roundups.moneyboxapp.org/ | URL | Yes | ||
| https://admin.moneyboxapp.org/ | URL | Yes | ||
| https://api.moneyboxapp.com/ | URL | Yes | ||
| https://apps.apple.com/gb/app/moneybox-save-and-invest/id1049797239 | IOS | Yes | - | |
| https://play.google.com/store/apps/details?id=com.moneyboxapp | ANDROID | Yes | ||
| https://sycamore.moneyboxapp.org/ | URL | Yes |
Out-of-Scope Assets (3)
| Asset | Category | Bounty | |
|---|---|---|---|
| Content served by the Cloudflare Access service (https://moneyboxapp.cloudflareaccess.com/*) is out of scope. These pages intentionally do not set a CORS Allow-Origin policy. We have seen this reported several times as a vulnerability, but it is intended behaviour and is considered out of scope. | OTHER | Yes | |
| Security concerns originating from https://moneyboxapp.onelogin.com/ are typically considered out of scope. These pages and their content are served by OneLogin, and any issues should be reported to them directly. However, if an exploit explicitly enables bypassing OneLogin to access Moneybox systems or leaking Moneybox sensitive data, it is crucial to raise the concerns to both OneLogin and Moneybox. | OTHER | Yes | |
| The Moneybox public website https://www.moneyboxapp.com/ and other moneyboxapp.com / moneyboxapp.org domains not listed are out of scope. | OTHER | Yes |
Scope Changes (30)
Feb 25, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Added | https://api.moneyboxapp.com/ | URL | In Scope | 19:09 |
| Added | https://admin.moneyboxapp.org/ | URL | In Scope | 19:09 |
| Added | https://apps.apple.com/gb/app/moneybox-save-and-invest/id1049797239 | IOS | In Scope | 19:09 |
| Added | security concerns originating from https://moneyboxapp.onelogin.com/ are typically considered out of scope. these pages and their content are served by onelogin, and any issues should be reported to them directly. however, if an exploit explicitly enables bypassing onelogin to access moneybox systems or leaking moneybox sensitive data, it is crucial to raise the concerns to both onelogin and moneybox | OTHER | Out of Scope | 19:09 |
| Added | https://admin-roundups.moneyboxapp.org/ | URL | In Scope | 19:09 |
| Added | https://play.google.com/store/apps/details?id=com.moneyboxapp | ANDROID | In Scope | 19:09 |
| Added | https://sycamore.moneyboxapp.org/ | URL | In Scope | 19:09 |
| Added | the moneybox public website https://www.moneyboxapp.com/ and other moneyboxapp.com / moneyboxapp.org domains not listed are out of scope | OTHER | Out of Scope | 19:09 |
| Added | content served by the cloudflare access service (https://moneyboxapp.cloudflareaccess.com/*) is out of scope. these pages intentionally do not set a cors allow-origin policy. we have seen this reported several times as a vulnerability, but it is intended behaviour and is considered out of scope | OTHER | Out of Scope | 19:09 |
Feb 22, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Added | https://admin.moneyboxapp.org/ | URL | In Scope | 00:52 |
| Added | https://admin-roundups.moneyboxapp.org/ | URL | In Scope | 00:52 |
| Added | https://play.google.com/store/apps/details?id=com.moneyboxapp | ANDROID | In Scope | 00:52 |
| Added | https://sycamore.moneyboxapp.org/ | URL | In Scope | 00:52 |
| Added | the moneybox public website https://www.moneyboxapp.com/ and other moneyboxapp.com / moneyboxapp.org domains not listed are out of scope | OTHER | Out of Scope | 00:52 |
| Added | content served by the cloudflare access service (https://moneyboxapp.cloudflareaccess.com/*) is out of scope. these pages intentionally do not set a cors allow-origin policy. we have seen this reported several times as a vulnerability, but it is intended behaviour and is considered out of scope | OTHER | Out of Scope | 00:52 |
| Added | security concerns originating from https://moneyboxapp.onelogin.com/ are typically considered out of scope. these pages and their content are served by onelogin, and any issues should be reported to them directly. however, if an exploit explicitly enables bypassing onelogin to access moneybox systems or leaking moneybox sensitive data, it is crucial to raise the concerns to both onelogin and moneybox | OTHER | Out of Scope | 00:52 |
| Added | https://api.moneyboxapp.com/ | URL | In Scope | 00:52 |
| Added | https://apps.apple.com/gb/app/moneybox-save-and-invest/id1049797239 | IOS | In Scope | 00:52 |
Feb 21, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Removed | security concerns originating from https://moneyboxapp.onelogin.com/ are typically considered out of scope. these pages and their content are served by onelogin, and any issues should be reported to them directly. however, if an exploit explicitly enables bypassing onelogin to access moneybox systems or leaking moneybox sensitive data, it is crucial to raise the concerns to both onelogin and moneybox | OTHER | Out of Scope | 21:40 |
| Removed | https://sycamore.moneyboxapp.org/ | URL | In Scope | 21:40 |
| Removed | the moneybox public website https://www.moneyboxapp.com/ and other moneyboxapp.com / moneyboxapp.org domains not listed are out of scope | OTHER | Out of Scope | 21:40 |
| Removed | content served by the cloudflare access service (https://moneyboxapp.cloudflareaccess.com/*) is out of scope. these pages intentionally do not set a cors allow-origin policy. we have seen this reported several times as a vulnerability, but it is intended behaviour and is considered out of scope | OTHER | Out of Scope | 21:40 |
| Removed | https://api.moneyboxapp.com/ | URL | In Scope | 21:40 |
| Removed | https://admin.moneyboxapp.org/ | URL | In Scope | 21:40 |
| Removed | https://admin-roundups.moneyboxapp.org/ | URL | In Scope | 21:40 |
| Removed | https://apps.apple.com/gb/app/moneybox-save-and-invest/id1049797239 | IOS | In Scope | 21:40 |
| Removed | https://play.google.com/store/apps/details?id=com.moneyboxapp | ANDROID | In Scope | 21:40 |
| Added | content served by the cloudflare access service (https://moneyboxapp.cloudflareaccess.com/*) is out of scope. these pages intentionally do not set a cors allow-origin policy. we have seen this reported several times as a vulnerability, but it is intended behaviour and is considered out of scope | OTHER | Out of Scope | 00:33 |
| Added | security concerns originating from https://moneyboxapp.onelogin.com/ are typically considered out of scope. these pages and their content are served by onelogin, and any issues should be reported to them directly. however, if an exploit explicitly enables bypassing onelogin to access moneybox systems or leaking moneybox sensitive data, it is crucial to raise the concerns to both onelogin and moneybox | OTHER | Out of Scope | 00:33 |
| Added | the moneybox public website https://www.moneyboxapp.com/ and other moneyboxapp.com / moneyboxapp.org domains not listed are out of scope | OTHER | Out of Scope | 00:33 |