Phishing simulation Awareness training Data breach detection About Blog Resources Pricing Contact
Get started Log in

Moxso Bug Bounty Program

Moxso’s Bug Bounty Program rewards responsible security research that helps protect customer data, platform integrity, and trust.

Rewards & Severity

All submissions are assessed and accepted or declined by the Moxso Security team using a simple severity model. Each vulnerability is unique; the examples below are indicative.

€3,000+ - Critical

Issues that pose an immediate, high risk to Moxso customers or core systems. Examples:

  • Remote code or command execution in production
  • Unauthorized access to production databases
  • Authentication or MFA bypass
  • Access to customer data or internal systems Exceptional reports may receive higher rewards.
€1,500 – €3,000 - High

Issues that allow unauthorized access to sensitive data or elevated privileges. Examples:

  • Authorization bypass between customer workspaces
  • Stored or reflected XSS with meaningful impact
  • Exposure of sensitive data via misconfigured storage or APIs
  • Access to internal, non-public services
€500 – €1,500 - Medium

Issues with limited data exposure or constrained impact. Examples:

  • Limited data disclosure across tenants
  • XSS without CSP bypass or sensitive actions
  • CSRF on low-risk functionality
  • Client-side code execution requiring user interaction
€0 – €500 - Low

Issues with minimal impact or no realistic privilege escalation. Examples:

  • Minor logic flaws
  • Debug or verbose error exposure without sensitive data
  • Information disclosure with negligible risk

Scope

Only systems owned and operated by Moxso are in scope. Testing of third-party services is not permitted.

In scope (non-exhaustive):

  • Moxso web application and APIs
  • Customer-facing dashboards and training platforms
  • Moxso-owned infrastructure supporting the platform

Out of scope:

  • Third-party integrations and providers
  • Social engineering, phishing, or physical attacks
  • Denial-of-service or volumetric attacks

Rules of Engagement

  • Only test accounts, workspaces, and data you own
  • Do not impact other customers or production availability
  • Automated tools are allowed only if they generate low traffic
  • Stop immediately if you believe you have affected system stability

Prohibited activities may result in account suspension and loss of eligibility.

Handling Personal Data (PII)

Do not intentionally access other users’ personal data. If PII exposure is suspected:

  • Limit access to your own data only
  • Report immediately
  • Do not store or retain exposed data

You may be asked to confirm deletion of any accessed data.

Reporting Vulnerabilities

  • Reports must include clear, written reproduction steps
  • Submit exclusively through Moxso’s designated disclosure channel (outlined in security.txt)
  • Do not publicly disclose issues before a fix is released
  • Redact sensitive data in screenshots and logs

Duplicate reports are rewarded only for the first valid submission.

Legal Safe Harbor

Security research conducted in good faith and in line with this policy is considered authorized. Moxso will not pursue legal action for compliant research under applicable computer misuse laws. This protection does not extend to third parties.

Award Payment

  • Rewards are based on severity and real-world impact
  • You are responsible for any applicable taxes
  • Moxso may modify or discontinue the program at any time
  • Researchers on sanctions lists or in sanctioned regions are ineligible

Final Notes

If you are unsure whether an activity is allowed, ask before testing. Responsible disclosure helps keep Moxso and its customers secure and we appreciate your contribution.