Proton bug bounty program
The Proton community trusts our services to keep their information safe. We take that trust seriously, which is why we’re dedicated to working with the security research community to identify, verify, and resolve potential vulnerabilities. If you’re a security researcher, you can help make Proton services safer, get recognized as a security contributor, and potentially earn a reward. And you’ll be a part of building a better internet where privacy is the default.
Bug bounty program
scope and rules
Before you submit a vulnerability to the Proton Bug Bounty Program, you should read the following documents:
- Our vulnerability disclosure policy describes the program’s accepted testing methods.
- Our safe harbor policy explains what tests and actions are protected from liability when you report vulnerabilities to the Proton Bug Bounty Program
We explain which vulnerabilities qualify for our bug bounty program and how they are judged in greater detail below.
How to report a
vulnerability?
You can submit vulnerability reports by email at security@proton.me. You can submit reports using plaintext, rich text, or HTML.
If you don’t use Proton Mail, we encourage you to encrypt your submissions using our PGP public key.
Judging
- The severity of the submission and how it may impact the scope, confidentiality, integrity, or availability of our services.
- Whether human interaction or device privileges are required.
- The quality of the submission: We prefer proof of concepts that include code or pseudocode that clearly demonstrate the vulnerability being reported.
- The likelihood of the scenario reported being used in an exploit.
- Whether the scenario was previously reported or publicly known. Only the first submission of a vulnerability will be considered for a bounty award.
- Software security industry standards and best practices.
Qualifying vulnerabilities
Web applications
- Cross-site scripting
- Cross-site request forgery
- Mixed-content scripts
- Authentication or authorization flaws
- Server-side code execution bugs
- REST API vulnerabilities
Сервер
- SMTP exploits (open relays, etc.)
- Unauthorized shell access
- Unauthorized API access
- Privilege escalation
Мобильный
- Authentication or authorization flaws
- Server-side code execution bugs
- Mobile local data security breach (without rooting)
Qualifying improvements
- Mail or web server configuration improvements
- Firewall configurations
- Improved DoS and DDoS safeguards
- Path and information disclosures
- Proton Mail blog or support page issues (such as unpatched WordPress or plugin vulnerabilities)
Non-qualifying vulnerabilities
- Flaws impacting out-of-date browsers
- Security issues outside the scope of Proton Mail’s mission
- Phishing or social engineering attacks
- Bugs requiring exceedingly unlikely user interactions
- WordPress bugs (but please report those to WordPress)
- Out of date software (for a variety of reasons, we do not always run the most recent software versions, but we do run software that is fully patched)
Reward amounts
- Maximum bounty: $10,000
- Minor server and web app vulnerabilities that do not compromise user data: $50
- Low severity vulnerabilities that leak Personal information such as IP address: $50
- Moderate severity vulnerabilities that may result in disclosure of personal secrets $200
- Vulnerabilities that can lead to data corruption: $200
- Vulnerabilities that can lead to the disclosure of encrypted user data: $1,000+
Вопросы о Proton
Please contact us if you are unsure if a specific test method is inconsistent with or unaddressed by this policy before you begin testing. We also invite security researchers to contact us with suggestions for improving this policy.