Bug Bounty Program

We invite security researchers to investigate potential
vulnerabilities in Atmail, as long as your research
follows this responsible research and disclosure policy.

What you need to do

Avoid harm or risk to Atmail, our users, or third parties.

This is common sense, but guidelines can be found below on what we’re not looking for.

Report through a legitimate channel.

This means through our Bug Bounty Program.

Don’t disclose without our agreement.

Keep information about potential vulnerabilities confidential between yourself and Atmail until Atmail has verified the vulnerability, and has then had at least 90 days to resolve it.

What you can't do

No privacy violations.

Respect privacy by only using accounts you have created.

Nothing that degrades our service.

Examples include Denial of Service and modifying configurations. Instead, show deficiencies in any rate limiting through a well targeted test.

No deletion or damage of resources.

Instead, limit damage to resources you create or own.

No creation or sharing of inappropriate content.

Keep any content you generate (as part of a proof-of-concept) simple and respectful of others.

No lasting harm.

Avoid leaving persistent payloads, XSS or the like behind you. Instead, use non-harmful payloads, track what you do, limit who is exposed as much as possible, and clean up!

No targeting our staff, investors or physical environment.

This includes spear phishing and physical testing.

Our commitment

If you follow these guidelines, we commit to:

  • Not pursuing or supporting legal action related to your research;
  • Working with you to understand issues, and resolve them if Atmail considers it necessary; and
  • Taking steps to make it known that your actions were conducted in compliance with these guidelines (if a third-party initiates legal action against you, in connection with activities in our program’s scope).


As part of encouraging security researchers to put our security to the test, we offer a variety of rewards for doing so if:

  • The reported vulnerability is verifiable;
  • It hasn't been reported already; and
  • You've conducted your activities in a manner consistent with our guidelines.

Rewards are provided at Atmail's discretion, based on the severity of the bug and the quality of the report.

Ready to submit?

Submit now