mpb-bug-bounty-program
5
In Scope
5
Out of Scope
In-Scope Assets (5)
| Asset | Category | Bounty | Quick Links | |
|---|---|---|---|---|
| New Feature Releases | URL | Yes | - | |
| https://api.mpb.com | URL | Yes | ||
| https://flamingo.mpb.com | URL | Yes | ||
| https://mpb.com | URL | Yes | ||
| https://swan.mpb.com/ | ANDROID | Yes | - |
Out-of-Scope Assets (5)
| Asset | Category | Bounty | |
|---|---|---|---|
| All domains or subdomains not listed in the above list of 'Scopes' | OTHER | Yes | |
| Any manipulation of prices on the platform, before completing the checkout, may appear to allow the user to complete the transaction. However, we have mitigated this issue with backend/server side validation. Funds will be reserved on a payment card but never captured, the user will never receive the goods they attempted to purchase and the product will remain available to purchase. This issue will not be considered for a reward | OTHER | Yes | |
| Exclude 3rd party integrations such as : Bloomreach, GoCertify, Contentful, Disqus, Elastic APM, Full Story, Google Analytics, Google Tag Manager, Intercom, Kameleoon, Loquate, Mention Me, One Trust, Pingdom, Trusted Shops, Trust Pilot | OTHER | Yes | |
| Please do not test the Chat bot or intercom.help | OTHER | Yes | |
| Please note that simply demonstrating the ability to gain access to sensitive systems or data is enough to validate a vulnerability; you are not authorised to interact with or manipulate the data in any way. Any unauthorised interaction with data will not be eligible for a reward. | OTHER | Yes |
Scope Changes (10)
Apr 16, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Added | https://mpb.com | URL | In Scope | 18:33 |
| Added | https://api.mpb.com | URL | In Scope | 18:33 |
| Added | https://flamingo.mpb.com | URL | In Scope | 18:33 |
| Added | https://swan.mpb.com/ | ANDROID | In Scope | 18:33 |
| Added | new feature releases | URL | In Scope | 18:33 |
| Added | all domains or subdomains not listed in the above list of 'scopes' | OTHER | Out of Scope | 18:33 |
| Added | please do not test the chat bot or intercom.help | OTHER | Out of Scope | 18:33 |
| Added | exclude 3rd party integrations such as : bloomreach, gocertify, contentful, disqus, elastic apm, full story, google analytics, google tag manager, intercom, kameleoon, loquate, mention me, one trust, pingdom, trusted shops, trust pilot | OTHER | Out of Scope | 18:33 |
| Added | any manipulation of prices on the platform, before completing the checkout, may appear to allow the user to complete the transaction. however, we have mitigated this issue with backend/server side validation. funds will be reserved on a payment card but never captured, the user will never receive the goods they attempted to purchase and the product will remain available to purchase. this issue will not be considered for a reward | OTHER | Out of Scope | 18:33 |
| Added | please note that simply demonstrating the ability to gain access to sensitive systems or data is enough to validate a vulnerability; you are not authorised to interact with or manipulate the data in any way. any unauthorised interaction with data will not be eligible for a reward | OTHER | Out of Scope | 18:33 |