N26 Bug Bounty Program—A treasure hunt for hackers

The N26 Bug Bounty Program offers cash rewards to encourage security researchers to inform us about bugs or vulnerabilities, so that we can fix them long before any damage is done.
Working Environment - N26 Team.

How to report a security bug

To report a security bug:
  • You need an account on HackerOne to be eligible for our Bug Bounty Program.
  • Request an invite to our bug bounty program on HackerOne by sending an email with your HackerOne username and email to bugbounty@n26.com.
  • Rewards are granted at our discretion. Please do not send any reports to this address.
  • Testing should be done on your own live N26 account.

Play by the rules

Before attempting anything, reporting a security bug or joining our program, please be aware that testing our environment can be designated as a criminal act by the relevant authorities if you are violating German law or any other law. Please be aware that our rules do not supersede any applicable laws. However, we will not report you to the authorities if you abide by the rules provided—as long as we are not required to do so by applicable laws.

Why N26 has a bug bounty program

Security has the highest priority at N26 and we’re continuously working to provide secure products. We follow international standards as defined by leading tech companies and security communities. However, no technology is perfect, and N26 believes that working with skilled security researchers and bug bounty hunters is crucial to identifying weaknesses in any technology. If you find a security bug in scope of our bug bounty program, we would really appreciate it if you would report it to us. This way, we can further improve the security and reliability of N26.

List of endpoints

api.tech26.de

What it does: This endpoint is the entry point to our API. Whether you want to create a payment, login to your account, or change your address, a call will be made to this endpoint. If you Google N26 API you may find some un-officials wrapper to our API with examples of call that are used. You can also look at the request that are made to api.tech26.de when you connect to my.n26.com What to look for: We are generally interested in application logic bugs, privilege escalation, RCE. What it runs on: Our API is written in Java.

app.n26.com

What it does: This subdomain lets you access a client side interface that calls the API (api.tech26.de). It offers many of the services offered through the mobile application, but not all of them. What to look for: We are generally interested in XSS injection, sensitive data exposure, privilege escalation. What it runs on: Our web app is written in Javascript.

iOS & Android apps

What it does: N26 has two mobile applications: iOS & Android. These are the main frontend applications we have and they contain all the features for N26 users. What to look for: We are generally interested in security misconfigurations or usage of outdated/unsafe libraries. What it runs on: Our mobile apps are implemented in Android/Java and Swift.

Direct reports

Signing up for HackerOne is free. We encourage all researchers to join the program there. If, for security or legal reasons, you cannot use HackerOne, we still appreciate direct reports. These reports are not eligible for Bug Bounty rewards. If you have such a case, you can send us an email to security@n26.com.