M1 Bug Bounty Program

M1 Finance welcomes independent researchers who wish to report potential security vulnerabilities. Before submitting any findings, please read the following guidelines and terms. Reporting of potential security vulnerabilities are limited to the following:

To learn more about security at M1 Finance please visit M1 Security Recommendations.

To get support with an M1 product please visit our Help Center.

Guidelines

In order to help us understand and mitigate the potential vulnerability as quickly as possible, please follow these guidelines when creating a clear report. For submittal instructions, please see below “Submit” section.

  • Please include the following information:
    • The product name and version (e.g. Android App version xxx);
    • The product names and versions for any other hardware/software involved (e.g. “M1 web app accessed through Firefox version xxx”);
    • A clear and concise description of the issue;
    • A reproducible example of the bug (e.g., in the form of a script or just instructions); and
    • If applicable, a disclosure date.
  • Please note, the finding must not have been previously reported or a known issue to M1.
  • Please DO NOT attempt to access any person’s personal data during your research (this includes, but is not limited to, M1 personnel, M1 consumer-customers, any potential customers, and/or any other data that could be considered personal data). If you gain access to any personal data while testing, stop and alert us immediately. Do not store, transfer, transmit, copy, create derivative works from, or disclose personal data.

Researcher Eligibility

Due to legal constraints, all researchers must meet the following criteria if they wish to be eligible for a reward:

  • You have written approval from your employer if you are reporting on their behalf.
  • You are either 18 years of age or older. If you are a minor, you have your parent’s or legal guardian’s permission prior to reporting.
  • You are not a resident of  a country against which the United States has trade restrictions or export sanctions as determined by the U.S. Office of Foreign Assets Control (OFAC).
  • You are not on a U.S. Government list of sanctioned individuals.
  • You are neither currently nor have been an employee of or under contract with M1, or an M1 subsidiary, within 6 months prior to submitting a report. Moreover, you are neither a family member nor a part of a household with such a person.
  • You agree to cooperate with M1 during the investigation and mitigation of the finding and to coordinate the disclosure/release/publication of the finding with M1.
  • You agree not to access any person’s personal data during your research (this includes, but is not limited to, M1 personnel, M1 consumer-customers, any potential customers, and/or any other data that could be considered personal data).
  • You agree not to violate any applicable law or regulation including your local laws restricting participation and including laws prohibiting unauthorized access to information. For avoidance of doubt, M1 does not view testing that is done in compliance with the terms and conditions of M1’s Bug Bounty Program as unauthorized. 
  • M1 reserves the right to change any restrictions or eligibility requirements at any time.
  • You are able to provide a W9. A W8 will not suffice.

Rewards

Rewards are scaled based on the severity of the finding and the quality of the report. M1 will not grant a reward if the researcher publicly discloses the issue before complete resolution or a specified disclosure date (each as solely determined by M1). To deliver a reward we will need your ACH information and W-9. Be prepared to provide this information after the finding has been verified. All payments will be made in U.S. dollars (USD) and will comply with local laws, regulations and ethics rules. You are responsible for the tax consequences of any bounty you receive, as determined by the laws of your locality.

Submit

Please submit all bug reports to security@m1.com.

A member of our team will review your findings and work with you to resolve the issue, if applicable. We will aim to reach out to you as soon as possible and work to create a vulnerability disclosure timeline within 180 days.