Proton bug bounty program
The Proton community trusts our services to keep their information safe. We take that trust seriously, which is why we’re dedicated to working with the security research community to identify, verify, and resolve potential vulnerabilities.
If you’re a security researcher, you can help make Proton services safer, get recognized as a security contributor, and potentially earn a reward. And you’ll play a part in building a better internet where privacy is the default.
Bug bounty program scope and rules
Before you submit a vulnerability to the Proton Bug Bounty Program, you should read the following documents:
Our vulnerability disclosure policy describes the program’s accepted testing methods.
Our safe harbor policy explains what tests and actions are protected from liability when you report vulnerabilities to the Proton Bug Bounty Program
How to report a vulnerability?
You can submit vulnerability reports by email at security@proton.me. You can submit reports using plaintext, rich text, or HTML.
If you don’t use Proton Mail, we encourage you to encrypt your submissions using our PGP public key.
Qualifying vulnerabilities
We will likely consider any design or implementation issue that substantially affects the confidentiality or integrity of user data on within our bug bounty program’s scope. This includes, but is not limited to:
Web applications
Cross-site scripting
Mixed-content scripts
Cross-site request forgery
Authentication or authorization flaws
Server-side code execution bugs
REST API vulnerabilities
Desktop applications
Remote code execution through Proton apps
Leakage of local data, credentials, or keychain information
Authentication and authorization weaknesses
Insecure update or code-signing mechanisms
Local privilege escalation vulnerabilities
Mobile applications
Mobile local data security breach
Authentication or authorization flaws
Server-side code execution bugs
Servers
Privilege escalation
SMTP exploits (for example, open relays)
Unauthorized shell access
Unauthorized API access
Judging submissions and determining rewards
We recognize and reward good-faith security research conducted in accordance with this policy.
Bounty amounts are evaluated on a case-by-case basis by our adjudication panel, which consists of Proton Security and Engineering team members. This panel makes all final decisions regarding bounty awards, and participants must agree to respect these decisions.
The severity of the impact on Proton users’ data is the primary factor in determining reward amounts. The figures listed below represent standard reward ranges. Actual payouts may vary based on factors such as:
Preconditions: whether exploitation depends on additional requirements beyond the vulnerability itself, for example:
- Uncommon user settings – relies on atypical user configurations or settings.
- Non-default configurations – requires Proton software to be set up in a non-standard way.
- Exploit reliability – success is inconsistent, for example, non-deterministic success, due to race conditions, low RCE success rates.
- Local device state – requires elevated privileges, a jailbroken/rooted device, and/or physical access.
- Environmental or network conditions – contingent on rare or unlikely external conditions.
Impact scope: The extent to which confidentiality, integrity, or availability of our services may be affected.
Exploit chain value: Whether the issue can contribute to a broader chain of vulnerabilities.
Exploitability: The likelihood that the issue can be used in a real-world attack.
Novelty: Whether the issue is new, previously reported, or already public; only the first valid submission is eligible.
Quality of submission: Must include a reproducible proof-of-concept or a clear path showing impact. Code or pseudocode is strongly preferred.
In exceptional cases, rewards may be increased up to the maximum reward amount.
Reward amounts
Maximum reward: USD 100,000
Critical severity: USD 25,000 - USD 50,000
Discovery of a vulnerability that allows for full sustained unauthorized control of the service environment, or compromises the confidentiality or integrity of all users’ data without requiring special conditions or prior access.
High severity: USD 2,500 - USD 25,000
Discovery of a vulnerability that leads to sustained unauthorized control over a large part of the service environment, or a significant breach of data confidentiality or integrity affecting a broad group of users — without requiring special conditions or prior access — but still short of full service compromise.
Medium severity: USD 1,000 - USD 2,500
Discovery of a vulnerability that allows unauthorized control over part of the service environment, or compromises the integrity or confidentiality of user data for a single user or a small group. Alternatively, vulnerabilities with broader impact that require significant user interaction or specific conditions, but still lead to the exposure of sensitive data or controls.
Low severity: Case-by-case, no monetary reward by default
Discovery of a vulnerability with a limited impact or with unlikely conditions.
Eligibility requirements
Findings that describe intended behavior, theoretical or best-practice recommendations without a concrete path to exploitation are ineligible. The first valid reporter of each qualifying vulnerability receives the corresponding payout after Proton confirms the issue and deploys a fix.
Questions
Questions regarding this policy may be sent to security@proton.me. Proton encourages security researchers to contact us for clarification on any element of this policy.
Please contact us if you are unsure if a specific test method is inconsistent with or unaddressed by this policy before you begin testing. We also invite security researchers to contact us with suggestions for improving this policy.