Proton

Proton bug bounty program

The Proton community trusts our services to keep their information safe. We take that trust seriously, which is why we’re dedicated to working with the security research community to identify, verify, and resolve potential vulnerabilities.

If you’re a security researcher, you can help make Proton services safer, get recognized as a security contributor, and potentially earn a reward. And you’ll play a part in building a better internet where privacy is the default.

Bug bounty program scope and rules

Before you submit a vulnerability to the Proton Bug Bounty Program, you should read the following documents:

  • Our vulnerability disclosure policy describes the program’s accepted testing methods.

  • Our safe harbor policy explains what tests and actions are protected from liability when you report vulnerabilities to the Proton Bug Bounty Program

How to report a vulnerability?

You can submit vulnerability reports by email at security@proton.me. You can submit reports using plaintext, rich text, or HTML.

If you don’t use Proton Mail, we encourage you to encrypt your submissions using our PGP public key.

Qualifying vulnerabilities

We will likely consider any design or implementation issue that substantially affects the confidentiality or integrity of user data on within our bug bounty program’s scope. This includes, but is not limited to:

Web applications

  • Cross-site scripting

  • Mixed-content scripts

  • Cross-site request forgery

  • Authentication or authorization flaws

  • Server-side code execution bugs

  • REST API vulnerabilities

Desktop applications

  • Remote code execution through Proton apps

  • Leakage of local data, credentials, or keychain information

  • Authentication and authorization weaknesses

  • Insecure update or code-signing mechanisms

  • Local privilege escalation vulnerabilities

Mobile applications

  • Mobile local data security breach

  • Authentication or authorization flaws

  • Server-side code execution bugs

Servers

  • Privilege escalation

  • SMTP exploits (for example, open relays)

  • Unauthorized shell access

  • Unauthorized API access

Scope exclusions

Judging submissions and determining rewards

We recognize and reward good-faith security research conducted in accordance with this policy.

Bounty amounts are evaluated on a case-by-case basis by our adjudication panel, which consists of Proton Security and Engineering team members. This panel makes all final decisions regarding bounty awards, and participants must agree to respect these decisions.

The severity of the impact on Proton users’ data is the primary factor in determining reward amounts. The figures listed below represent standard reward ranges. Actual payouts may vary based on factors such as:

  • Preconditions: whether exploitation depends on additional requirements beyond the vulnerability itself, for example:

    • Uncommon user settings – relies on atypical user configurations or settings.
    • Non-default configurations – requires Proton software to be set up in a non-standard way.
    • Exploit reliability – success is inconsistent, for example, non-deterministic success, due to race conditions, low RCE success rates.
    • Local device state – requires elevated privileges, a jailbroken/rooted device, and/or physical access.
    • Environmental or network conditions – contingent on rare or unlikely external conditions.
  • Impact scope: The extent to which confidentiality, integrity, or availability of our services may be affected.

  • Exploit chain value: Whether the issue can contribute to a broader chain of vulnerabilities.

  • Exploitability: The likelihood that the issue can be used in a real-world attack.

  • Novelty: Whether the issue is new, previously reported, or already public; only the first valid submission is eligible.

  • Quality of submission: Must include a reproducible proof-of-concept or a clear path showing impact. Code or pseudocode is strongly preferred.

In exceptional cases, rewards may be increased up to the maximum reward amount.

Reward amounts

  • Maximum reward: USD 100,000

  • Critical severity: USD 25,000 - USD 50,000

    Discovery of a vulnerability that allows for full sustained unauthorized control of the service environment, or compromises the confidentiality or integrity of all users’ data without requiring special conditions or prior access.

  • High severity: USD 2,500 - USD 25,000

    Discovery of a vulnerability that leads to sustained unauthorized control over a large part of the service environment, or a significant breach of data confidentiality or integrity affecting a broad group of users — without requiring special conditions or prior access — but still short of full service compromise.

  • Medium severity: USD 1,000 - USD 2,500

    Discovery of a vulnerability that allows unauthorized control over part of the service environment, or compromises the integrity or confidentiality of user data for a single user or a small group. Alternatively, vulnerabilities with broader impact that require significant user interaction or specific conditions, but still lead to the exposure of sensitive data or controls.

  • Low severity: Case-by-case, no monetary reward by default

    Discovery of a vulnerability with a limited impact or with unlikely conditions.

Eligibility requirements

Findings that describe intended behavior, theoretical or best-practice recommendations without a concrete path to exploitation are ineligible. The first valid reporter of each qualifying vulnerability receives the corresponding payout after Proton confirms the issue and deploys a fix.

Questions

Questions regarding this policy may be sent to security@proton.me. Proton encourages security researchers to contact us for clarification on any element of this policy.

Please contact us if you are unsure if a specific test method is inconsistent with or unaddressed by this policy before you begin testing. We also invite security researchers to contact us with suggestions for improving this policy.