Bug Bounty Program

Find bugs in our websites and platforms and you might get rewarded

What is Bug Bounty?


We want to know if our site’s security is strong enough and if a malicious user can access information that could harm us. If you think computer security is your strength, see how you can win a prize by helping us find a potential vulnerability.

Introduction of the program

The purpose of this program is to establish collaboration with security researchers in order to perform security tests against tbi bank Group environment. Its goals are:

to determine whether and how a malicious user can gain unauthorized access to assets that affect the fundamental security of the system, files, logs and/or sensitive data;
to confirm that the applicable controls, such as scope, vulnerability management, methodology, and segmentation are in place.



Scope of this policy covers all the assets of tbi bank EAD, tbi bank EAD Sofia – Branch Bucharest, tbi money IFN S.A. (Romania), tbi leasing S.A. (Romania). This Program covers a mixed environment including all systems, applications, web services, APIs, mobile and all targets part of the infrastructure of the bank.



To encourage reporting vulnerabilities to tbi, we would urge you to send any vulnerabilities you detect to us and you might get rewarded for your efforts. Rewards are granted entirely at the discretion of tbi and the amount depends on the severity of the vulnerability reported, the type of website (static information sites versus online banking sites) concerned and the quality of the report we receive.

You will be eligible for a bounty only if you are the first person to disclose an unknown issue.

At tbi discretion, providing more complete research, proof-of-concept code and detailed write-ups may increase the bounty awarded. Conversely, tbi may pay less for vulnerabilities that require complex or over-complicated interactions or for which the impact or security risk is negligible. Rewards may be denied if there is evidence of program policy violations.

Rewards will be declined if we find evidence of abuse.


Program Rules

Never use a finding to compromise and/or exfiltrate data or pivot to other systems. Use a proof of concept only to demonstrate an issue.

If sensitive information--such as personal information, credentials, etc.--is accessed as part of a vulnerability, it must not be saved, stored, transferred, accessed, or otherwise processed after the initial discovery. All copies of sensitive information must be returned to tbi bank and may not be retained.

Researchers may not, and are not authorized to, engage in any activity that would be disruptive, damaging or harmful to tbi bank brands or its users. This includes: social engineering, phishing, physical security and denial of service attacks against users, employees.

Researchers may not publicly disclose vulnerabilities (sharing any details whatsoever with anyone other than authorized employees), or otherwise share vulnerabilities with a third party, without tbi express written permission.

Legal Terms


tbi is not giving permission/authorization (either implied or explicit) to an individual or group of individuals to extract personal information or content of any users or publicize this information on the open, public-facing internet without user consent or modify or corrupt programs or data belonging to tbi.


tbi will not initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability if the researcher fully complies with this program.



Please do the following when participating in our bug bounty program:

Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.

Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. For example:

A header that includes your username: X-Bug-Bounty:HackerOne-
A header that includes a unique or identifiable flag X-Bug-Bounty:ID-


When testing for a bug, please also keep in mind

Only use authorized accounts so as not to inadvertently compromise the privacy of our users

When attempting to demonstrate root permissions with the following primitives in a vulnerable process please use the following commands:

Read: cat /proc/1/maps

Write: touch /root/

Execute: id, hostname, pwd (though, technically cat and touch also prove execution)

Minimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data

Before causing damage or potential damage: Stop, report what you've found and request additional testing permission

Responsible Disclosure of Vulnerabilities

We are continuously working to evolve our bug bounty program. We aim to respond to incoming submissions as quickly as possible and make every effort to have bugs fixed within 120 days of being triaged.

Out of Scope

The following issues are considered out of scope:

  • Those that resolve to third-party services
  • Issues that do not affect the latest version of modern browsers
  • Issues that we are already aware of or have been previously reported
  • Issues that require unlikely user interaction
  • Disclosure of information that does not present a significant risk
  • Cross-site Request Forgery with minimal security impact
  • CSV injection
  • Incomplete or missing SPF/DKIM
  • General best practice concerns

Final tip

Please read carefully the full Bug Bounty program policy in the attached file, where you will find all the details regarding your potential cooperation, the report requirements, criminal liability, confidentiality, and other well-defined important details.

If you have any questions, please write us at: bugbounty@tbibank.bg

Applicable documents