Security Policy

Monaco takes the security of our customers' data seriously. If you believe you have found a security vulnerability in any Monaco product or service, we'd like to hear from you.

Reporting a Vulnerability

Email security@monaco.com, or submit a report through our vulnerability disclosure form. For sensitive reports, please encrypt your message using our PGP key:

  • Fingerprint: 54FC 7122 1433 4900 FE9F 2921 BAB2 7553 F3F9 A8B7
  • Download: keys.openpgp.org

Please include:

  • A description of the issue and its potential impact
  • Steps to reproduce (proof-of-concept, screenshots, affected URLs)
  • Any relevant logs or request/response captures
  • Your name or handle, if you'd like public credit

Scope

In scope:

  • www.monaco.com — marketing and landing site
  • app.monaco.com — Monaco web application
  • api.monaco.com — Monaco public API

Out of scope:

  • Third-party services we integrate with — please report to them directly
  • Social engineering of Monaco employees, contractors, or customers
  • Physical attacks against Monaco offices or infrastructure
  • Denial-of-service attacks, volumetric testing, or load testing
  • Findings from automated scanners without demonstrated impact
  • Vulnerabilities in unsupported browsers or end-of-life software
  • Missing security headers or best-practice recommendations without a concrete exploit
  • Clickjacking on pages with no sensitive actions
  • Self-XSS and issues requiring physical access to a victim's device

Safe Harbor

We will not pursue legal action against, or initiate law enforcement investigation of, researchers who in good faith comply with this policy. To qualify for safe harbor, you must:

  • Make a good-faith effort to avoid privacy violations, data destruction, and service disruption
  • Only interact with accounts you own or have explicit permission from the account holder to access
  • Not exploit the issue beyond what is necessary to demonstrate it
  • Give Monaco reasonable time to remediate before public disclosure
  • Comply with all applicable laws

If legal action is initiated by a third party against you for activities conducted in accordance with this policy, we will make this authorization known.

Our Commitments

  • We will acknowledge your report within 5 business days.
  • We will provide a triage assessment and expected remediation timeline as quickly as possible after acknowledgment.
  • We will keep you informed of remediation progress.
  • We will credit you publicly, if you'd like, once the issue is resolved.

Rewards

Monaco does not currently offer monetary rewards for vulnerability reports. We deeply appreciate the security research community and are happy to provide public acknowledgment with your consent.

Coordinated Disclosure

We ask that you give us 90 days from the date of your report to remediate before any public disclosure. For critical issues, we will work with you on a coordinated disclosure timeline. Please do not disclose the issue publicly — including to other researchers — until we've had a chance to respond.

Questions

If anything in this policy is unclear, or you're unsure whether a particular test is in scope, email security@monaco.com before testing and we'll do our best to clarify quickly.

Last updated: 2026-04-20

Submit a Vulnerability Report ›
Monaco

Copyright © 2026 Monaco. All rights reserved.