The MyCashflow security bug bounty program

Updated: 21 Jun 2023

At MyCashflow we want to provide a safe and secure platform for MyCashflow merchants. We strive to remain on the cutting edge of our business and technology to constantly mitigate risks and security issues – both pre-emptively and reactively. Part of this is to provide a bounty for security researchers who discover and report any risks and vulnerabilities in MyCashflow.

Scope of this program

This bug bounty program only applies to our product, MyCashflow, and more specifically, the admin features of the system. Any bugs related to the following do not fall under the scope of this program:

  • the front-end features of MyCashflow stores
  • any of our websites (for example,
  • 3rd party services


Please adhere to the following rules in order to participate in this bug bounty program.

Forbidden operations:

  • Do not conduct your tests in our clients' stores. Set up your own testing store and use it to create your Proof of Concept.
  • Do not use automated scanners.
  • Do not disclose your findings with 3rd parties. Only use to report vulnerabilities and please provide any additional details by email if asked to do so.
  • Do not breach or steal client data, or cause damage to users or their data or devices, the platform or the company. This includes social engineering, spam and the use of automated tools, which could be interpreted as a DoS attack.

General guidelines for researching and reporting vulnerabilities:

  • Anonymize any sensitive data in your report. 
  • Only report verifiable vulnerabilities and provide evidence for them in the form of a Proof of concept that can be used to reproduce the vulnerability.
  • If we discover that a single bug or technical error causes several vulnerabilities, they will be treated as one, i.e. no separate reward will be paid for each vulnerability.
  • Do not violate any applicable laws or breach any applicable agreements in order to discover vulnerabilities.

Known issues

  • CSRF in some admin panel functions

Excluded issues

We ask you to not submit reports regarding:

  • The MyCashflow Point of Sale system
  • Race condition issues that might enable bypassing plan-specific limits (for example, exceeding the allowed product amount)
  • Email flooding
  • Issues with user password strength or account recovery
  • Issues pertaining to store themes, 3rd party JavaScript plugins etc.
  • Theoretical vulnerabilities without any proof or demonstration of the real presence of the vulnerability
  • Findings from automated tools without providing a Proof of Concept
  • Known issues
  • Previously known vulnerable software or libraries without a working Proof of Concept
  • Vulnerabilities requiring MITM, Self-XSS, or physical access to a user’s browser or device
  • SPAM or phishing
  • Missing or weak security-related HTTP headers. Weak SSL/TLS Cipher Suites
  • Reflected XSS that cannot be carried out via a web browser
  • Issues related to CSP or HSTS best practices
  • Disclosure of non-sensitive data (for example, server version banners, software version numbers, headers, etc.)
  • CSRF on unauthenticated forms or forms with no sensitive actions
  • Invalid or missing SPF/DKIM/DMARC records, or similar email-related issues
  • HTTPS mixed content
  • Expired SSL certificates
  • Rate limiting or bruteforce issues on non-authentication endpoints
  • DoS
  • Clickjacking
  • Bugs that are not related to MyCashflow (for example, bugs on our websites or 3rd party integrations)
  • Issues that only occur with unsupported browsers or platforms
  • XSS issues that require an unlikely amount of user interaction
  • Missing CAPTCHA
  • Missing cookie flags on non-sensitive cookies
  • Path disclosure

Reporting findings

Send a detailed report on your findings to with a description of the steps needed to reproduce the issue. Please include the following details in your message:

  • Brief description on the discovered vulnerabilities
  • Date and time of the findings
  • Detailed proof of concept (steps to reproduce the issue)
  • Potential effects of discover vulnerabilities
  • Suggestions for fixing the discovered vulnerabilities
  • Whether you are in the Finnish prepayment register
  • Your IBAN account number

In the event of duplicate reports, we award a bounty to the first person to submit an issue. MyCashflow determines duplicates in its sole discretion and is not obligated to share details on prior similar reports.

Bounty rewards

Below you can find examples of different vulnerabilities that justify a reward in this bug bounty program. We review and assess the severity of each report individually.

A report only qualifies for a reward if we can successfully verify and replicate the findings therein and decide that they fall under the scope and rules of this program.

Critical: 1000 – 3000 €

  • Successful execution of remote code
  • Privilege escalation

High: 500 – 1000 €

  • SQL injection
  • Persistent XSS

Medium: 250 – 500 €

  • Non-persistent XSS

Low: 100 – 250 €

  • Edge case performance issues which could be used for DoS
  • Debugging information

All reward payments will be made by direct bank transfer. With B2B payments the relevant VAT will be taken into account.