M1 Bug Bounty Program

M1 Finance welcomes independent researchers who wish to report potential security vulnerabilities. Before submitting any findings, please read the following guidelines and terms. Reporting of potential security vulnerabilities are limited to the following:

To learn more about security at M1 Finance please visit M1 Security Recommendations.

To get support with an M1 product please visit our Help Center.

Guidelines

In order to help us understand and mitigate the potential vulnerability as quickly as possible, please follow these guidelines when creating a clear report. For submittal instructions, please see below “Submit” section.

  • Please include the following information:
    • The product name and version (e.g. Android App version xxx);
    • The product names and versions for any other hardware/software involved (e.g. “M1 web app accessed through Firefox version xxx”);
    • A clear and concise description of the issue;
    • A reproducible example of the bug (e.g., in the form of a script or just instructions); and
    • If applicable, a disclosure date.
  • Please note, the finding must not have been previously reported or a known issue to M1.
  • Please DO NOT attempt to access any person’s personal data during your research (this includes, but is not limited to, M1 personnel, M1 consumer-customers, any potential customers, and/or any other data that could be considered personal data). If you gain access to any personal data while testing, stop and alert us immediately. Do not store, transfer, transmit, copy, create derivative works from, or disclose personal data.

Researcher Eligibility

Due to legal constraints, all researchers must meet the following criteria if they wish to be eligible for a reward:

  • You have written approval from your employer if you are reporting on their behalf.
  • You are either 18 years of age or older. If you are a minor, you have your parent’s or legal guardian’s permission prior to reporting.
  • You are not a resident of  a country against which the United States has trade restrictions or export sanctions as determined by the U.S. Office of Foreign Assets Control (OFAC).
  • You are not on a U.S. Government list of sanctioned individuals.
  • You are neither currently nor have been an employee of or under contract with M1, or an M1 subsidiary, within 6 months prior to submitting a report. Moreover, you are neither a family member nor a part of a household with such a person.
  • You agree to cooperate with M1 during the investigation and mitigation of the finding and to coordinate the disclosure/release/publication of the finding with M1.
  • You agree not to access any person’s personal data during your research (this includes, but is not limited to, M1 personnel, M1 consumer-customers, any potential customers, and/or any other data that could be considered personal data).
  • You agree not to violate any applicable law or regulation including your local laws restricting participation and including laws prohibiting unauthorized access to information. For avoidance of doubt, M1 does not view testing that is done in compliance with the terms and conditions of M1’s Bug Bounty Program as unauthorized. 
  • M1 reserves the right to change any restrictions or eligibility requirements at any time.

Rewards

Rewards are scaled based on the severity of the finding and the quality of the report. M1 will not grant a reward if the researcher publicly discloses the issue before complete resolution or a specified disclosure date (each as solely determined by M1). To deliver a reward we will need your ACH information and W-9. Be prepared to provide this information after the finding has been verified. All payments will be made in U.S. dollars (USD) and will comply with local laws, regulations and ethics rules. You are responsible for the tax consequences of any bounty you receive, as determined by the laws of your locality.

Submit

Please submit all bug reports to security@m1finance.com.

A member of our team will review your findings and work with you to resolve the issue, if applicable. We will aim to reach out to you as soon as possible and work to create a vulnerability disclosure timeline within 180 days.

Check the background of M1 Finance LLC on FINRA's BrokerCheck

By using this website, you accept our Terms of Use and Privacy Policy and acknowledge receipt of all disclosures in our Disclosure Library. All agreements are available in our Agreement Library. M1 relies on information from various sources believed to be reliable, including clients and third parties, but cannot guarantee the accuracy and completeness of that information.

M1 refers to M1 Holdings Inc., and its affiliates. M1 Holdings is a technology company offering a range of financial products and services through its wholly-owned, separate but affiliated operating subsidiaries, M1 Finance LLC and M1 Spend LLC.

M1 Plus is an annual membership that confers benefits for products and services offered by M1 Finance LLC and M1 Spend LLC.

All investing involves risk, including the risk of losing the money you invest. Past performance does not guarantee future performance. Using M1 Borrow’s margin account can add to these risks, and you should learn more before borrowing. Nothing in this informational site is an offer, solicitation of an offer, or advice to buy or sell any security and you are encouraged to consult your personal investment, legal, or tax advisors.

Brokerage products and services are not FDIC insured, no bank guarantee, and may lose value. Brokerage products and services are offered by M1 Finance LLC, an SEC registered broker-dealer, Member FINRA / SIPC.

M1 Spend checking accounts furnished by Lincoln Savings Bank, Member FDIC. M1 Visa® Debit Card is issued by Lincoln Savings Bank, Member FDIC.

Credit Card not available for US Territory Residents. Review Cardholder Agreement and Rewards Terms for important information about the Owner’s Rewards Card by M1. The Owner’s Rewards Card by M1 is a credit card Powered by Deserve and issued by Celtic Bank, a Utah-Chartered Industrial Bank, Member FDIC.

All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

App Store is a service mark of Apple Inc. Google Play and the Google Play logo are trademarks of Google LLC.

200 N LaSalle St., Ste. 800 Chicago, IL 60601

© Copyright 2021 M1 Holdings Inc.