Last modified: 29 September 2022

Summary

  • We (Proton AG, domiciled Route de la Galaise 32, 1228 Plan-les-Ouates, Switzerland) want you to responsibly disclose vulnerabilities through the Proton Bug Bounty Program and vulnerability disclosure policy. We don't want researchers put in fear of legal consequences because of their good faith attempts to detect bugs and vulnerabilities. We cannot bind any third party, so do not assume that this protection extends to any action against any third party, including those related to good faith security research. If in doubt, please contact us before engaging in any specific action you think might be outside of the scope of this policy.
  • Because both identifying and non-identifying information can put a researcher at risk, we limit the information we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a written binding commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc) with a third party if you give your written permission to do so.
  • If your good faith security research as part of the Proton Bug Bounty Program violates certain restrictions in our website policies, the safe harbor terms permit a limited exemption.

This section makes sure that security researchers are safe from any prosecution when they act in good faith and comply with the rules of this Program.

  • Proton will not take civil action or file a criminal complaint against participants for accidental violations or infringements of Proton’s rights performed in compliance with this Policy.
  • Proton interprets activities by participants that comply with this Policy as authorized access under the Swiss Penal Code. This includes Swiss Penal Code paragraphs 143, 143bis and 144bis.
  • Proton will not take civil action or file a criminal complaint against participants for trying to circumvent the security measures deployed in order to protect the services in-scope for this Program.
  • Any non-compliance with this Policy may result in exclusion from the Program. For minor breaches, a warning may be issued. For severe breaches, the organizers reserve the right to take civil action and/or file a criminal complaint.
  • If a legal action is initiated by a third party against a participant and the participant has complied with this Policy, Proton will take the necessary measures to make it known to the competent authorities that such participant’s actions have been conducted in compliance with this Policy.

Questions?

Questions regarding this policy may be sent to security@proton.me. Proton encourages security researchers to contact us for clarification on any element of this policy.

Please contact us if you are unsure if a specific test method is inconsistent with or unaddressed by this policy before you begin testing. We also invite security researchers to contact us with suggestions for improving this policy.