moneybox-bug-bounty

YesWeHackView on YesWeHack

RawAI Enhanced

6

In Scope

3

Out of Scope

In-Scope Assets (6)

Asset	Category	Bounty	Quick Links
https://admin-roundups.moneyboxapp.org/	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
https://admin.moneyboxapp.org/	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
https://api.moneyboxapp.com/	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
https://apps.apple.com/gb/app/moneybox-save-and-invest/id1049797239	IOS	Yes	-
https://play.google.com/store/apps/details?id=com.moneyboxapp	ANDROID	Yes	Play Store APKPure APKMirror
https://sycamore.moneyboxapp.org/	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa

Out-of-Scope Assets (3)

Asset	Category	Bounty
Content served by the Cloudflare Access service (https://moneyboxapp.cloudflareaccess.com/*) is out of scope. These pages intentionally do not set a CORS Allow-Origin policy. We have seen this reported several times as a vulnerability, but it is intended behaviour and is considered out of scope.	OTHER	Yes
Security concerns originating from https://moneyboxapp.onelogin.com/ are typically considered out of scope. These pages and their content are served by OneLogin, and any issues should be reported to them directly. However, if an exploit explicitly enables bypassing OneLogin to access Moneybox systems or leaking Moneybox sensitive data, it is crucial to raise the concerns to both OneLogin and Moneybox.	OTHER	Yes
The Moneybox public website https://www.moneyboxapp.com/ and other moneyboxapp.com / moneyboxapp.org domains not listed are out of scope.	OTHER	Yes

Scope Changes (9)

Apr 16, 2026

Change	Asset	Category	Scope	Time
Added	https://api.moneyboxapp.com/	URL	In Scope	18:33
Added	https://admin.moneyboxapp.org/	URL	In Scope	18:33
Added	https://admin-roundups.moneyboxapp.org/	URL	In Scope	18:33
Added	https://apps.apple.com/gb/app/moneybox-save-and-invest/id1049797239	IOS	In Scope	18:33
Added	https://play.google.com/store/apps/details?id=com.moneyboxapp	ANDROID	In Scope	18:33
Added	https://sycamore.moneyboxapp.org/	URL	In Scope	18:33
Added	the moneybox public website https://www.moneyboxapp.com/ and other moneyboxapp.com / moneyboxapp.org domains not listed are out of scope	OTHER	Out of Scope	18:33
Added	content served by the cloudflare access service (https://moneyboxapp.cloudflareaccess.com/*) is out of scope. these pages intentionally do not set a cors allow-origin policy. we have seen this reported several times as a vulnerability, but it is intended behaviour and is considered out of scope	OTHER	Out of Scope	18:33
Added	security concerns originating from https://moneyboxapp.onelogin.com/ are typically considered out of scope. these pages and their content are served by onelogin, and any issues should be reported to them directly. however, if an exploit explicitly enables bypassing onelogin to access moneybox systems or leaking moneybox sensitive data, it is crucial to raise the concerns to both onelogin and moneybox	OTHER	Out of Scope	18:33