moneta
Book a demo

Draft — pending legal review. This page describes how moneta intends to operate. It is informational and not yet legally binding. Final published versions will replace this notice.

Responsible Disclosure

Report a security vulnerability to moneta.

We welcome reports from independent security researchers. This policy describes what's in scope, how to report, what to expect from us, and the safe-harbor commitments we make in return.

Last updated 2026-05-19 Applies to all regions

1. In scope

The following targets are in scope for security research:

  • *.monetacloud.com — production application and APIs.
  • The moneta mobile applications (when published).
  • Public packages we publish under @moneta namespaces on npm and PyPI.

Out of scope:

  • Marketing pages (monetacloud.com root domain) — please report typos to hello@monetacloud.com.
  • Findings exclusively against third-party software where we have not configured it (e.g., generic CMS plugins on subdomains we do not control).
  • Social engineering, phishing, or physical attacks against moneta employees or facilities.
  • Denial-of-service or volumetric attacks. Please do not attempt them.
  • Vulnerabilities in third-party services already known and patched.

2. How to report

Send a report to security@monetacloud.com. PGP fingerprint available on request.

A good report includes:

  • A clear description of the issue and its security impact.
  • Reproduction steps, including the affected URL, HTTP request, parameters, and any test accounts you used.
  • Screenshots, video, or proof-of-concept code where helpful.
  • Your suggested CVSS v3.1 vector if you have one.
  • Your name (or pseudonym) and how you'd like to be credited, if at all.

3. Safe harbor

We will not pursue legal action against researchers who:

  • Make a good-faith effort to comply with this policy.
  • Avoid privacy violations, destruction of data, and interruption or degradation of the Service.
  • Only interact with accounts they own or with explicit permission of the account holder.
  • Do not publicly disclose the issue before we have had a reasonable opportunity to address it.

If in doubt about whether your research is in scope, contact us before testing.

4. What to expect from us

Our commitments:

  • Acknowledge your report within 3 business days.
  • Initial assessment with a severity rating within 7 business days.
  • Status updates at least every 14 days until resolution.
  • Credit in our security advisories and Hall of Fame, with your permission.

5. Rewards

moneta currently does not offer monetary rewards or a formal bug bounty. We acknowledge significant findings publicly (with permission) and may provide swag for high-impact reports. A formal program is on our roadmap.

6. Security Hall of Fame

We thank the researchers who have helped strengthen moneta. The current list is published at monetacloud.com/security/hall-of-fame (coming soon).

7. Contact

Reports: security@monetacloud.com. Questions about this policy: same address.