Vulnerability disclosure policy

Last modified: October 7, 2022

As a company founded by scientists who met a CERN, we believe in peer review. That's why we support the independent security community to help us maintain the security of our systems and protect sensitive information from unauthorized disclosure. We encourage security researchers to contact us to report potential vulnerabilities identified in Proton products.

This policy specifies:

  • What systems and applications are in scope
  • What types of security research methods are covered
  • How to report potential security vulnerabilities to us
  • Our vulnerability disclosure philosophy and how long we will ask you to wait before publicly disclosing vulnerabilities

Proton will acknowledge receipt of reports that comply with vulnerability disclosure policy within five (5) business days. Upon receipt, we will endeavor to validate submissions, implement corrective actions (if appropriate), and inform researchers of the disposition of reported vulnerabilities with minimum delay.

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized per Proton’s legal safe harbor policy. We will work with you to understand and resolve the issue quickly and will not recommend or pursue legal action against you for any of your action(s) related to your research.

Test methods

Security researchers must not:

  • Test any system other than the systems set forth in the Scope section below
  • Disclose vulnerability information except as set forth in the Reporting a vulnerability and Disclosure sections below
  • Engage in physical testing of facilities or resources
  • Engage in social engineering
  • Send unsolicited electronic mail to Proton users, including “phishing” messages
  • Execute or attempt to execute “denial of service” or “resource exhaustion” attacks
  • Introduce malicious software in the systems of Proton or any third party
  • Perform tests that could degrade the operation of Proton systems or intentionally impair, disrupt, or disable SEC systems
  • Test third-party applications, websites, or services that integrate with or link to or from Proton systems
  • Delete, alter, share, retain, or destroy Proton data, or render Proton data inaccessible
  • Use an exploit to exfiltrate data, establish command line access, establish a persistent presence on Proton systems, or “pivot” to other Proton systems

Security researchers may:

  • View or store Proton nonpublic data only to the extent necessary to document the presence of a potential vulnerability

Security researchers must:

  • Cease testing and notify us immediately upon discovery of a vulnerability
  • Cease testing and notify us immediately upon discovery of an exposure of nonpublic data
  • Purge any stored nonpublic data upon reporting a vulnerability

Scope

The following systems and services are in scope:

  • Our website, proton.me
  • The mail.proton.me web app
  • The calendar.proton.me web app
  • The drive.proton.me web app
  • The account.proton.me web app
  • Proton Mail web app
  • Proton Mail Android and iOS apps
  • api.protonmail.ch
  • Proton Drive
  • Proton Drive Windows and Android apps
  • Proton Drive iOS/iPad app (in beta)
  • Proton Calendar
  • Proton Calendar iOS/iPad app (in beta)
  • Proton Calendar
  • Proton VPN
  • Our VPN website, protonvpn.com
  • account.protonvpn.com
  • api.protonvpn.ch
  • Proton VPN Windows, macOS, Linux, iOS/iPad, and Android apps
  • Proton Bridge for Windows, macOS, and GNU/Linux

Any services not explicitly listed above are excluded from the scope of this policy. For clarity, this includes, but is not limited to:

  • Spam
  • Social engineering techniques
  • Denial-of-service attacks
  • Content injection is out of scope unless you can clearly demonstrate a significant risk to Proton or its users
  • Executing scripts on sandboxed domains
  • Mobile app crash reports that are not reproducible on up-to-date OS versions or mobile devices released within the last two (2) calendar years
  • Security issues outside the scope of Proton Mail’s mission
  • Bugs that require exceedingly unlikely user interactions
  • WordPress bugs (please report those to WordPress)
  • Proof of concepts that require physical access to the device
  • Out-of-date software — For a variety of reasons, we do not always run the most recent software versions, but we do run software that is fully patched
  • Flaws impacting out-of-date browsers

Reporting a vulnerability

Reports are accepted via electronic mail at security@proton.me. Acceptable message formats are plain text, rich text, and HTML. We encourage you to encrypt submissions using our PGP public key when submitting vulnerabilities.

  • We prefer reports that include proof-of-concept code demonstrating an exploitation of the vulnerability.
  • Reports should provide a detailed technical description of the steps required to reproduce the vulnerability, including a description of any tools needed to identify or exploit the vulnerability.
  • Images (e.g., screen captures) and other documents may be attached to reports. It is helpful to give attachments illustrative names.
  • We request that any scripts or exploit code be embedded into non-executable file types.
  • We can process all common file types and archives, including zip, 7zip, and gzip.

Researchers may submit reports anonymously or provide contact information, including how and when the Proton Security team should contact them. We may contact researchers to clarify aspects of the submitted report or gather other technical information.

By submitting a report to Proton, you affirm that the report and any attachments do not violate the intellectual property rights of any third party. You also grant Proton a non-exclusive, royalty-free, worldwide, perpetual license to use, reproduce, create derivative works, and publish the report and any attachments.

Disclosure

Proton is committed to the timely correction of vulnerabilities. We will work diligently to resolve any issues that put our community at risk. We ask all researchers to bear with us as we examine the reports you submit to us, as the public disclosure of a vulnerability in the absence of a readily-available corrective action likely increases rather than decreases our community’s security risk.

Accordingly, we require that you refrain from sharing information about discovered vulnerabilities for 120 calendar days after you have received our acknowledgement of receipt of your report. If you believe others should be informed of the vulnerability prior to our implementation of corrective actions, you must coordinate in advance with the Proton Security team.

We may share vulnerability reports with affected vendors. We will not share the names or contact data of security researchers unless given explicit permission.

Questions?

Questions regarding this policy may be sent to security@proton.me. Proton encourages security researchers to contact us for clarification on any element of this policy.

Please contact us if you are unsure if a specific test method is inconsistent with or unaddressed by this policy before you begin testing. We also invite security researchers to contact us with suggestions for improving this policy.