ProtonBlog
Proton Mail Bug Bounty Proram

Proton Mail bug bounty program

Condividi questa pagina

At Proton, our mission is to build a better internet where privacy is the default. In order to do this, community participation in securing Proton Mail(new window), Proton Calendar(new window), and Proton Drive(new window) is essential, and that is the spirit behind our bug bounty program.

Note, there is also a bug bounty program for Proton VPN(new window).

Rules

Scope: The program is limited to the servers and web and mobile applications run by Proton Mail. Our profiles on Facebook, Twitter, LinkedIn, Eventbrite, etc., do not qualify. Qualifying sites include:

Proton Mail iOS and Android apps are also included in this program, as well as the Proton Calendar Android app.

Judging: The judging panel to determine awards consists of Proton Mail developers assisted by one or more outside experts who are part of our security group. Program participants agree to respect the final decision made by the judges.

Responsible disclosure: We request that all vulnerabilities be reported to us at security@proton.me We believe it is against the spirit of this program to disclose the flaw to third parties for purposes other than actually fixing the bug. Participants agree to not disclose bugs found until after they have been fixed and to coordinate disclosure with our team through our release notes to avoid confusion.

Responsible testing:  Please do not spam users, leverage black hat SEO techniques, run phishing campaigns, or do other similarly questionable things. We also discourage vulnerability testing that degrades the quality of service for our users. If in doubt, feel free to contact our Security Team at security@proton.me.

Adherence to rules: By participating in this program, you agree to adhere to the above rules and conditions. All rules must be followed to be eligible for awards.

Qualifying vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. This includes, but is not limited to:

Web applications

  • Cross-site scripting
  • Cross-site request forgery
  • Mixed-content scripts
  • Authentication or authorization flaws
  • Server-side code execution bugs
  • REST API vulnerabilities

Server

  • SMTP exploits (open relays, etc)
  • Un-authorised shell access
  • Privilege escalation

Mobile

  • Authentication or authorization flaws
  • Server-side code execution bugs
  • Mobile local data security breach (without rooting)

We believe in working closely with security researchers and are willing to share technical details such as API specifications or infrastructure details with selected researchers with the aim of improving security for all Proton Mail users. Please contact security@proton.me for more details.

Qualifying improvements

Sometimes, bounties are awarded for suggestions for improvement which don’t fall into any of the above categories. This is determined on a case by case basis by our team. These include things such as:

  • Mail or web server configuration improvements
  • Firewall configurations
  • Improved DOS/DDoS safeguards
  • Path/information disclosure
  • Proton Mail blog or support page issues (such as unpatched wordpress or plugin vulnerabilities)

Non-qualifying vulnerabilities

  • Flaws impacting out of date browsers (sorry, IE6 security issues don’t qualify)
  • Security issues outside the scope of Proton Mail’s mission
  • Phishing or social engineering attacks
  • Bugs requiring exceedingly unlikely user interactions
  • WordPress bugs (but please report those to WordPress)
  • Out of date software – For a variety of reasons, we do not always run the most recent software versions, but we do run software that is fully patched

Reward amounts

Proton Mail cannot pay bounties of the same size as Google or Facebook, but we do our best to reward security research that stays within the guidelines of our program. In fact, most of our security contributors(new window) are volunteers. The size of the bounty we pay is determined on a case by case basis, and largely depends on the severity of the issue. Rough bounty guidelines are provided below:

Maximum bounty: $10,000

Minor server and web app vulnerabilities that do not compromise user data: $50

Vulnerabilities that can lead to data corruption: $200

Vulnerabilities that can lead to the disclosure of encrypted user data: $1,000+

Proteggi le tue email e difendi la tua privacy
Passa gratis a Proton Mail

Condividi questa pagina

Proton Team

We are scientists, engineers, and specialists from around the world drawn together by a shared vision of protecting freedom and privacy online. Proton was born out of a desire to build an internet that puts people before profits, and we're working to create a world where everyone is in control of their digital lives.

Articoli correlati

en
In the public eye, Google presents itself as a champion of privacy. “Privacy is at the heart of everything we do,” its CEO said. But behind closed doors, Google is telling a different story to policymakers and actively fighting against privacy laws
en
The last thing you want when showing funny videos or holiday photos on your phone or tablet to friends and family is for them to see your sensitive and private photos. Although there are third-party apps dedicated to hiding your personal photos and
en
It can be slightly difficult to encrypt a zip file using the tools available on your Windows or Mac. Unlike encrypting a PDF or an Excel file, there’s no standardized software to use. You’ll need to rely on your device’s built-in encryption methods.
en
Last week, the Spanish Presidency of the European Council delayed a vote regarding the Council’s position on the controversial Child Sexual Abuse Regulation (CSAR) due to a lack of consensus over the issue of encryption, among others. This proposed r
en
At Proton, we’re always working on new and innovative ways to protect the privacy and data of the Proton community. Sometimes that means developing entirely new services, like our Proton Sentinel program, which combines AI and human security analysts
How to unsend an email in Gmail, Outlook, Proton Mail, and Apple Mail
en
“Undo Send” gives you a chance to stop an erroneous message you’ve just sent. We’ve all done it. You hit Send on an email only to spot you’ve misspelled someone’s name, forgotten an attachment, or accidentally sent a cringing joke to half your conta