ProtonMail Bug Bounty Program

ProtonMail Bug Bounty Proram

At ProtonMail, our goal is to build the world’s most secure email service. In order to do this, community participation in securing ProtonMail and ProtonCalendar is essential, and that is the spirit behind our bug bounty program.

Note, there is also a Bug Bounty Program for ProtonVPN, which can be found here.


Scope: The program is limited to the servers and web and mobile applications run by ProtonMail. Our profiles on Facebook, Twitter, LinkedIn, Eventbrite, etc., do not qualify. Qualifying sites include:


ProtonMail iOS and Android apps are also included in this program.

Judging: The judging panel to determine awards consists of ProtonMail developers assisted by one or more outside experts who are part of our security group. Program participants agree to respect the final decision made by the judges.

Responsible Disclosure: We request that all vulnerabilities be reported to us at We believe it is against the spirit of this program to disclose the flaw to third parties for purposes other than actually fixing the bug. Participants agree to not disclose bugs found until after they have been fixed and to coordinate disclosure with our team through our release notes to avoid confusion.

Responsible Testing:  Please do not spam users, leverage black hat SEO techniques, run phishing campaigns, or do other similarly questionable things. We also discourage vulnerability testing that degrades the quality of service for our users. If in doubt, feel free to contact our Security Team at

Adherence to Rules: By participating in this program, you agree to adhere to the above rules and conditions. All rules must be followed to be eligible for awards.

Qualifying vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. This includes, but is not limited to:

Web Applications

  • Cross-site scripting,
  • Cross-site request forgery,
  • Mixed-content scripts,
  • Authentication or authorization flaws,
  • Server-side code execution bugs.
  • REST API vulnerabilities


  • SMTP exploits (open relays, etc)
  • Un-authorised shell access
  • Privilege escalation


  • Authentication or authorization flaws
  • Server-side code execution bugs
  • Mobile local data security breach (without rooting)

We believe in working closely with security researchers and are willing to share technical details such as API specifications or infrastructure details with selected researchers with the aim of improving security for all ProtonMail users. Please contact for more details.

Qualifying Improvements

Sometimes, bounties are awarded for suggestions for improvement which don’t fall into any of the above categories. This is determined on a case by case basis by our team. These include things such as:

  • Mail or web server configuration improvements
  • Firewall configurations
  • Improved DOS/DDoS safeguards
  • Path/information disclosure
  • ProtonMail blog or support page issues (such as unpatched wordpress or plugin vulnerabilities)

Non-Qualifying vulnerabilities

  • Flaws impacting out of date browsers (sorry, IE6 security issues don’t qualify)
  • Security issues outside the scope of ProtonMail’s mission
  • Phishing or social engineering attacks
  • Bugs requiring exceedingly unlikely user interactions
  • WordPress bugs (but please report those to WordPress)
  • Out of date software – For a variety of reasons, we do not always run the most recent software versions, but we do run software that is fully patched

Reward Amounts

ProtonMail cannot pay bounties of the same size as Google or Facebook, but we do our best to reward security research that stays within the guidelines of our program. In fact, most of our security contributors are volunteers. The size of the bounty we pay is determined on a case by case basis, and largely depends on the severity of the issue. Rough bounty guidelines are provided below:

Maximum bounty: $10,000

Minor server and web app vulnerabilities that do not compromise user data: $50

Vulnerabilities that can lead to data corruption: $200

Vulnerabilities that can lead to the disclosure of encrypted user data: $1,000+

About the Author


We are scientists, engineers, and developers drawn together by a shared vision of protecting civil liberties online. Ensuring online privacy and security are core values for the ProtonMail team, and we strive daily to protect your rights online.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

24 comments on “ProtonMail Bug Bounty Program

  • Since you guys are building ProtonMail on a budget, and presumably people who are helping you iron out bugs are fans and users of ProtonMail, how about instead of giving money as rewards you give those users who find bugs higher storage limits, grandfathered in? I know I’d rather have that than a few bucks, while it would also be less costly to the company. Just a thought.

  • The paragraph headings “Non-Qualifying vulnerabilities” and “Reward Amounts” should have had an extra line above them, between them and the previous paragraph. As well, there’s probably an extra line or two between the $250 reward and the $500 reward.

    I’ll forego my bounty reward — this time.

  • Hey, can you put the donation address on the ‘Donate’ tabs so that i can easily donate? Thanks. Love @protonmail. Looking forward to the IOS app. Stay strong. Stay Encrypted.

  • Hi, I’m new and I would like to present an improvement, but I do not know if it qualifies as: “Security issues outside the scope of ProtonMail’s mission”

    For mobile applications would be very desirable to add a local passcode like Telegram. It facilitates the task of maintaining the secure session, without the need to close and reopen the Protonmail session.


  • someone is forcing me to give them a email acct that they can hack to get password. or a personal phone number. I need an alternate way to set up account. It needs to have a setting from the start that can capture someones IP address. If I cant use for an email. please find another email that can secure my email. If I give out a gmail account it can be hacked. A phone can be hacked. I need to encrypt from start . Of make up another email account that can be used /

  • I get a warning in the Firefox address bar that is not secure, on parts of a page such as images. The image of an orange or gold triangle with an exclamation mark in it appears next to the https// in the address bar. What does that mean and how can that be resolved?

  • I LOVE you guys and gals for trying to get the Surveillance State off our backs ! I really have nothing to hide, but still… it’s the PRINCIPLE of the thing. The 20 somethings who want the entire world to know what they are eating for lunch SCARE ME TO DEATH. Freedom means the freedom to be let alone…even if you’re not doing anything. I, for one, would contribute any “bounty” back to the program to be used to develop the features of the FREE service so that feature rich, basic PRIVACY can be available to MORE people. Those who can afford it, don’t HAVE to worry about their privacy… as usual, it’s the poor and struggling who take it in the shorts and the rich who get all the goodies !

  • The thing is that no matter what someone will find a bug. But if the community does do well then yes all the ones that are easy to use or exploit will be patched meaning Learners/next level hackers wont be able to do anything which is really nice! But some people such as Web Developers that know a breach in any website or a flaw will always exploit it without getting it caught or patched unless shared.
    Stay Secure
    Stay Encryped
    and Stay Safe!

  • Hello,

    Still some weeks ago reportet Bugs on Webinzterface of protonmail:
    # possible to move not marked emails to recycle bin
    # possible to delete not marked emails from rcycle bin


  • Hello,

    Still no working proton vpn Server by useing proton DNS server

    Depend on this, user need for useing proton VPN connection to use other, usually LGGED DNS Server like the follow: