At ProtonMail, our goal is to build the world’s most secure email service. In order to do this, community participation in securing ProtonMail is essential, and that is the spirit behind our bug bounty program. By getting security issues reported and fixed, we can better protect the millions around the world that use ProtonMail for sensitive communications.
Note, there is also a Bug Bounty Program for ProtonVPN which can be found here.
Scope: The program is limited to the servers and web and mobile applications run by ProtonMail. Our profiles on Facebook, Twitter, Linkedin, Eventbrite, etc, do not qualify. Qualifying sites include:
ProtonMail iOS and Android apps are also included in this program.
Judging: The judging panel to determine awards consists of ProtonMail developers assisted by one or more outside experts who are part of our security group. Program participants agree to respect the final decision made by the judges.
Responsible Disclosure: We request that all vulnerabilities be reported to us at firstname.lastname@example.org. We believe it is against the spirit of this program to disclose the flaw to third parties for purposes other than actually fixing the bug. Participants agree to not disclose bugs found until after they have been fixed and to coordinate disclosure with our team through our release notes to avoid confusion.
Responsible Testing: Please do not spam users, leverage black hat SEO techniques, run phishing campaigns, or do other similarly questionable things. We also discourage vulnerability testing that degrades the quality of service for our users. If in doubt, feel free to contact our Security Team at email@example.com.
Adherence to Rules: By participating in this program, you agree to adhere to the above rules and conditions. All rules must be followed to be eligible for awards.
Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. This includes, but is not limited to:
We believe in working closely with security researchers and are willing to share technical details such as API specifications or infrastructure details with selected researchers with the aim of improving security for all ProtonMail users. Please contact firstname.lastname@example.org for more details.
Sometimes, bounties are awarded for suggestions for improvement which don’t fall into any of the above categories. This is determined on a case by case basis by our team. These include things such as:
ProtonMail receives much of it’s revenue through donations. As a result, we cannot pay bounties of the same size as the Google and Facebook. In fact, most of our security contributors are volunteers. The size of the bounty we pay is determined on a case by case basis, and largely depends on the severity of the issue. Rough bounty guidelines are provided below:
Minor server and web app vulnerabilities that do not compromise user data: $50
Vulnerabilities that can lead to data corruption: $100
Vulnerabilities that can lead to the disclosure of encrypted user data: $250
Maximum bounty: $500