ProtonMail Bug Bounty Program

ProtonMail Bug Bounty Proram

UPDATE Feb 2nd, 2016: We have made a number of updates to our bug bounty program. The updated program is below:

At ProtonMail, our goal is to build the world’s most secure email service. In order to do this, community participation in securing ProtonMail is essential, and that is the spirit behind our bug bounty program. By getting security issues reported and fixed, we can better protect the thousands around the world that use ProtonMail for sensitive communications.

Rules

Scope: The program is limited to the servers and web and mobile applications run by ProtonMail. Our profiles on Facebook, Twitter, Linkedin, Eventbrite, etc, do not qualify. Qualifying sites include:

protonmail.com
mail.protonmail.com
api.protonmail.ch [Note: .ch and not .com]

ProtonMail iOS and Android apps are also included in this program.

Judging: The judging panel to determine awards consists of ProtonMail developers assisted by one or more outside experts who are part of our security group. Program participants agree to respect the final decision made by the judges.

Responsible Disclosure: We request that all vulnerabilities be reported to us at security@protonmail.ch. We believe it is against the spirit of this program to disclose the flaw to third parties for purposes other than actually fixing the bug. Participants agree to not disclose bugs found until after they have been fixed and to coordinate disclosure with our team through our release notes to avoid confusion.

Responsible Testing:  Please do not spam users, leverage black hat SEO techniques, run phishing campaigns, or do other similarly questionable things. We also discourage vulnerability testing that degrades the quality of service for our users. If in doubt, feel free to contact our Security Team at security@protonmail.ch.

Adherence to Rules: By participating in this program, you agree to adhere to the above rules and conditions. All rules must be followed to be eligible for awards.

Qualifying vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. This includes, but is not limited to:

Web Application

  • Cross-site scripting,
  • Cross-site request forgery,
  • Mixed-content scripts,
  • Authentication or authorization flaws,
  • Server-side code execution bugs.
  • REST API vulnerabilities

Server

  • SMTP exploits (open relays, etc)
  • Un-authorised shell access
  • Privilege escalation

Mobile

  • Authentication or authorization flaws
  • Server-side code execution bugs
  • Mobile local data security breach (without rooting)

We believe in working closely with security researchers and are willing to share technical details such as API specifications or infrastructure details with selected researchers with the aim of improving security for all ProtonMail users. Please contact security@protonmail.ch for more details.

Qualifying Improvements

Sometimes, bounties are awarded for suggestions for improvement which don’t fall into any of the above categories. This is determined on a case by case basis by our team. These include things such as:

  • Mail or web server configuration improvements
  • Firewall configurations
  • Improved DOS/DDoS safeguards
  • Path/information disclosure
  • ProtonMail blog or support page issues (such as unpatched wordpress or plugin vulnerabilities)

 

Non-Qualifying vulnerabilities

  • Flaws impacting out of date browsers (sorry, IE6 security issues don’t qualify)
  • Security issues outside the scope of ProtonMail’s mission
  • Phishing or social engineering attacks
  • Bugs requiring exceedingly unlikely user interactions
  • WordPress bugs (but please report those to WordPress)
  • Out of date software – For a variety of reasons, we do not always run the most recent software versions, but we do run software that is fully patched

 

Reward Amounts

ProtonMail receives much of it’s revenue through donations. As a result, we cannot pay bounties of the same size as the Google and Facebook. In fact, most of our security contributors are volunteers. The size of the bounty we pay is determined on a case by case basis, and largely depends on the severity of the issue. Rough bounty guidelines are provided below:

Minor server and web app vulnerabilities that do not compromise user data: $50

Vulnerabilities that can lead to data corruption: $100

Vulnerabilities that can lead to the disclosure of encrypted user data: $250

 

Maximum bounty: $500

About the Author

Admin

We are scientists, engineers, and developers drawn together by a shared vision of protecting civil liberties online. Ensuring online privacy and security are core values for the ProtonMail team, and we strive daily to protect your rights online.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

11 comments on “ProtonMail Bug Bounty Program

  • Since you guys are building ProtonMail on a budget, and presumably people who are helping you iron out bugs are fans and users of ProtonMail, how about instead of giving money as rewards you give those users who find bugs higher storage limits, grandfathered in? I know I’d rather have that than a few bucks, while it would also be less costly to the company. Just a thought.

    Reply
  • The paragraph headings “Non-Qualifying vulnerabilities” and “Reward Amounts” should have had an extra line above them, between them and the previous paragraph. As well, there’s probably an extra line or two between the $250 reward and the $500 reward.

    I’ll forego my bounty reward — this time.

    Reply
  • Hey, can you put the donation address on the ‘Donate’ tabs so that i can easily donate? Thanks. Love @protonmail. Looking forward to the IOS app. Stay strong. Stay Encrypted.

    Reply
  • Hi, I’m new and I would like to present an improvement, but I do not know if it qualifies as: “Security issues outside the scope of ProtonMail’s mission”

    For mobile applications would be very desirable to add a local passcode like Telegram. It facilitates the task of maintaining the secure session, without the need to close and reopen the Protonmail session.

    Cheers

    Reply
  • someone is forcing me to give them a email acct that they can hack to get password. or a personal phone number. I need an alternate way to set up account. It needs to have a setting from the start that can capture someones IP address. If I cant use protonmail.com for an email. please find another email that can secure my email. If I give out a gmail account it can be hacked. A phone can be hacked. I need to encrypt from start . Of make up another email account that can be used /

    Reply