Proton

Proton bug bounty program

The Proton community trusts our services to keep their information safe. We take that trust seriously, which is why we’re dedicated to working with the security research community to identify, verify, and resolve potential vulnerabilities. If you’re a security researcher, you can help make Proton services safer, get recognized as a security contributor, and potentially earn a reward. And you’ll be a part of building a better internet where privacy is the default.

Bug bounty program
scope and rules

Before you submit a vulnerability to the Proton Bug Bounty Program, you should read the following documents:

  • Our vulnerability disclosure policy describes the program’s accepted testing methods.
  • Our safe harbor policy explains what tests and actions are protected from liability when you report vulnerabilities to the Proton Bug Bounty Program

We explain which vulnerabilities qualify for our bug bounty program and how they are judged in greater detail below.

How to report a
vulnerability?

You can submit vulnerability reports by email at security@proton.me. You can submit reports using plaintext, rich text, or HTML.

If you don’t use Proton Mail, we encourage you to encrypt your submissions using our PGP public key.

Judging


Our bug bounty adjudication panel consists of Proton Security and Engineering team members. This panel makes all final decisions regarding bounty awards, and participants must agree to respect the final decision made by the judges. The judges take into consideration the following factors:

  • The severity of the submission and how it may impact the scope, confidentiality, integrity, or availability of our services.
  • Whether human interaction or device privileges are required.
  • The quality of the submission: We prefer proof of concepts that include code or pseudocode that clearly demonstrate the vulnerability being reported.
  • The likelihood of the scenario reported being used in an exploit.
  • Whether the scenario was previously reported or publicly known. Only the first submission of a vulnerability will be considered for a bounty award.
  • Software security industry standards and best practices.

Qualifying vulnerabilities


Any design or implementation issue that substantially affects the confidentiality or integrity of user data will likely be considered within our bug bounty program’s scope. This includes, but is not limited to:

Web applications

  • Cross-site scripting
  • Cross-site request forgery
  • Mixed-content scripts
  • Authentication or authorization flaws
  • Server-side code execution bugs
  • REST API vulnerabilities

Server

  • SMTP exploits (open relays, etc.)
  • Unauthorized shell access
  • Unauthorized API access
  • Privilege escalation

Mobile

  • Authentication or authorization flaws
  • Server-side code execution bugs
  • Mobile local data security breach (without rooting)

Qualifying improvements


Sometimes we award bounties for suggestions that don’t fall into any of the listed categories. This is determined on a case-by-case basis and is completely at the discretion of our bug bounty adjudication panel. These improvements can include:

  • Mail or web server configuration improvements
  • Firewall configurations
  • Improved DoS and DDoS safeguards
  • Path and information disclosures
  • Proton Mail blog or support page issues (such as unpatched WordPress or plugin vulnerabilities)

Non-qualifying vulnerabilities


  • Flaws impacting out-of-date browsers
  • Security issues outside the scope of Proton Mail’s mission
  • Phishing or social engineering attacks
  • Bugs requiring exceedingly unlikely user interactions
  • WordPress bugs (but please report those to WordPress)
  • Out of date software (for a variety of reasons, we do not always run the most recent software versions, but we do run software that is fully patched)

Reward amounts


We reward security research that stays within the guidelines of the program. The size of the bounty we pay is determined on a case-by-case basis by our bug bounty adjudication panel. The amount they award is largely guided by the severity of the issue reported.

  • Maximum bounty: $10,000
  • Minor server and web app vulnerabilities that do not compromise user data: $50
  • Low severity vulnerabilities that leak Personal information such as IP address: $50
  • Moderate severity vulnerabilities that may result in disclosure of personal secrets $200
  • Vulnerabilities that can lead to data corruption: $200
  • Vulnerabilities that can lead to the disclosure of encrypted user data: $1,000+

Questions?


Questions regarding this policy may be sent to security@proton.me. Proton encourages security researchers to contact us for clarification on any element of this policy.

Please contact us if you are unsure if a specific test method is inconsistent with or unaddressed by this policy before you begin testing. We also invite security researchers to contact us with suggestions for improving this policy.