ProtonMail Bug Bounty Program

ProtonMail Bug Bounty Proram

At ProtonMail, our goal is to build the world’s most secure email service. In order to do this, community participation in securing ProtonMail and ProtonCalendar is essential, and that is the spirit behind our bug bounty program.

Note, there is also a Bug Bounty Program for ProtonVPN, which can be found here.


Scope: The program is limited to the servers and web and mobile applications run by ProtonMail. Our profiles on Facebook, Twitter, LinkedIn, Eventbrite, etc., do not qualify. Qualifying sites include:


ProtonMail iOS and Android apps are also included in this program.

Judging: The judging panel to determine awards consists of ProtonMail developers assisted by one or more outside experts who are part of our security group. Program participants agree to respect the final decision made by the judges.

Responsible Disclosure: We request that all vulnerabilities be reported to us at We believe it is against the spirit of this program to disclose the flaw to third parties for purposes other than actually fixing the bug. Participants agree to not disclose bugs found until after they have been fixed and to coordinate disclosure with our team through our release notes to avoid confusion.

Responsible Testing:  Please do not spam users, leverage black hat SEO techniques, run phishing campaigns, or do other similarly questionable things. We also discourage vulnerability testing that degrades the quality of service for our users. If in doubt, feel free to contact our Security Team at

Adherence to Rules: By participating in this program, you agree to adhere to the above rules and conditions. All rules must be followed to be eligible for awards.

Qualifying vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. This includes, but is not limited to:

Web Applications

  • Cross-site scripting
  • Cross-site request forgery
  • Mixed-content scripts
  • Authentication or authorization flaws
  • Server-side code execution bugs
  • REST API vulnerabilities


  • SMTP exploits (open relays, etc)
  • Un-authorised shell access
  • Privilege escalation


  • Authentication or authorization flaws
  • Server-side code execution bugs
  • Mobile local data security breach (without rooting)

We believe in working closely with security researchers and are willing to share technical details such as API specifications or infrastructure details with selected researchers with the aim of improving security for all ProtonMail users. Please contact for more details.

Qualifying Improvements

Sometimes, bounties are awarded for suggestions for improvement which don’t fall into any of the above categories. This is determined on a case by case basis by our team. These include things such as:

  • Mail or web server configuration improvements
  • Firewall configurations
  • Improved DOS/DDoS safeguards
  • Path/information disclosure
  • ProtonMail blog or support page issues (such as unpatched wordpress or plugin vulnerabilities)

Non-Qualifying vulnerabilities

  • Flaws impacting out of date browsers (sorry, IE6 security issues don’t qualify)
  • Security issues outside the scope of ProtonMail’s mission
  • Phishing or social engineering attacks
  • Bugs requiring exceedingly unlikely user interactions
  • WordPress bugs (but please report those to WordPress)
  • Out of date software – For a variety of reasons, we do not always run the most recent software versions, but we do run software that is fully patched

Reward Amounts

ProtonMail cannot pay bounties of the same size as Google or Facebook, but we do our best to reward security research that stays within the guidelines of our program. In fact, most of our security contributors are volunteers. The size of the bounty we pay is determined on a case by case basis, and largely depends on the severity of the issue. Rough bounty guidelines are provided below:

Maximum bounty: $10,000

Minor server and web app vulnerabilities that do not compromise user data: $50

Vulnerabilities that can lead to data corruption: $200

Vulnerabilities that can lead to the disclosure of encrypted user data: $1,000+

About the Author

Proton Team

Proton was founded by scientists who met at CERN and had the idea that an internet where privacy is the default is essential to preserving freedom. Our team of developers, engineers, and designers from all over the world is working to provide you with secure ways to be in control of your online data.

Comments are closed.

33 comments on “ProtonMail Bug Bounty Program

  • Since you guys are building ProtonMail on a budget, and presumably people who are helping you iron out bugs are fans and users of ProtonMail, how about instead of giving money as rewards you give those users who find bugs higher storage limits, grandfathered in? I know I’d rather have that than a few bucks, while it would also be less costly to the company. Just a thought.

  • I’ve noticed it much slower than the previous version. Are you able to address the speed issues?

  • Noticed that some email in my inbox are showing up as DKIM-valid, but I know that it actually isn’t. Please fix!

  • The paragraph headings “Non-Qualifying vulnerabilities” and “Reward Amounts” should have had an extra line above them, between them and the previous paragraph. As well, there’s probably an extra line or two between the $250 reward and the $500 reward.

    I’ll forego my bounty reward — this time.

  • Hey, can you put the donation address on the ‘Donate’ tabs so that i can easily donate? Thanks. Love @protonmail. Looking forward to the IOS app. Stay strong. Stay Encrypted.

  • Hi, I’m new and I would like to present an improvement, but I do not know if it qualifies as: “Security issues outside the scope of ProtonMail’s mission”

    For mobile applications would be very desirable to add a local passcode like Telegram. It facilitates the task of maintaining the secure session, without the need to close and reopen the Protonmail session.


  • someone is forcing me to give them a email acct that they can hack to get password. or a personal phone number. I need an alternate way to set up account. It needs to have a setting from the start that can capture someones IP address. If I cant use for an email. please find another email that can secure my email. If I give out a gmail account it can be hacked. A phone can be hacked. I need to encrypt from start . Of make up another email account that can be used /

  • I get a warning in the Firefox address bar that is not secure, on parts of a page such as images. The image of an orange or gold triangle with an exclamation mark in it appears next to the https// in the address bar. What does that mean and how can that be resolved?

  • I LOVE you guys and gals for trying to get the Surveillance State off our backs ! I really have nothing to hide, but still… it’s the PRINCIPLE of the thing. The 20 somethings who want the entire world to know what they are eating for lunch SCARE ME TO DEATH. Freedom means the freedom to be let alone…even if you’re not doing anything. I, for one, would contribute any “bounty” back to the program to be used to develop the features of the FREE service so that feature rich, basic PRIVACY can be available to MORE people. Those who can afford it, don’t HAVE to worry about their privacy… as usual, it’s the poor and struggling who take it in the shorts and the rich who get all the goodies !

  • The thing is that no matter what someone will find a bug. But if the community does do well then yes all the ones that are easy to use or exploit will be patched meaning Learners/next level hackers wont be able to do anything which is really nice! But some people such as Web Developers that know a breach in any website or a flaw will always exploit it without getting it caught or patched unless shared.
    Stay Secure
    Stay Encryped
    and Stay Safe!

  • Hello,

    Still some weeks ago reportet Bugs on Webinzterface of protonmail:
    # possible to move not marked emails to recycle bin
    # possible to delete not marked emails from rcycle bin


  • Hello,

    Still no working proton vpn Server by useing proton DNS server

    Depend on this, user need for useing proton VPN connection to use other, usually LGGED DNS Server like the follow:


  • Could someone in the corporate office please contact me.

    i have a group of men in the cyber security industry harassing me and illegally accessing every email, credit card, bank accounts. This is just one site. This is my soon to be X husband and his collegues.

    they are from the following companies

    Sabre, Sans, KPMG, Atos and more…

  • I don’t know if I’m in the right area. I do NOT have ProtonMail, however, my email has been taken over by it to some degree. Some of my recipients when I send them an email from MY account are receiving an email stating it is coming from “” and when they respond to me get a email saying cannot send, but hours later I will eventually receive their response.
    I have had my email program for 25+ years and never had a problem before! My security team has worked on it and cannot fix this.
    If I send myself an email saying “test” it never comes back.
    My email is

  • Interested in your email service. Just how hard would it be for me to transfer from Google mail over to proton mail?

    Do you have an app that can be used on both IPhone and iPad?

    This is for personal use.

    • Hi Elizabeth,

      1. We have developed an Import Assistant to make transferring from Gmail to ProtonMail as easy as possible. Please see here for more details.
      2. Yes, we have an iOS app that works on both the iPhone and iPad.

  • 1) I have a paid (not free) Protonmail subscription. How can I update the new Proton features to my computer?
    2) For the non-technical users of your system, is there an Index with definition of terms?
    3) I send unecrypted email communications to up to 600 members of our Community occasionally. Will protonmail allow me to do thios?