atmail bug bounty program - atmail email hosting experts

Program Introduction

Effective Date: 5 February 2021

Atmail is committed to protecting our customers and their users. As part of this commitment, we invite security researchers to help protect Atmail and its users by proactively identifying security vulnerabilities via our bug bounty program. Our program is inclusive of all Atmail brands and technologies and offers rewards for a wide array of vulnerabilities. We encourage security researchers looking to participate in our bug bounty program to review this policy to ensure compliance with our rules and also to help you safely verify any vulnerabilities you may uncover.

Update as of: 12 February 2021

This program only applies to the most recent and supported version of atmail's products. As of this time, this means version a8.

Rules of Engagement

By submitting reports or otherwise participating in this program, you agree that you have read and will follow the Program Rules and Legal Terms sections of this program Policy.

Program Rules

  1. Test vulnerabilities only against accounts that you own or accounts that you have permission from the account holder to test against.

  2. Never use a finding to compromise/exfiltrate data or pivot to other systems. Use a proof of concept only to demonstrate an issue.

  3. If sensitive information, such as personal information, credentials, etc., is accessed as part of a vulnerability, it must not be saved, stored, transferred, accessed, or otherwise processed after initial discovery. All copies of sensitive information must be deleted and must not be retained.

  4. Researchers may not, and are not authorised to engage in any activity that would be disruptive, damaging or harmful to Atmail, its brands or its users. This includes: social engineering, phishing, physical security and denial of service attacks against users, employees, or Atmail as a whole.

  5. Abide by the program scope. Only reports submitted to this program and against assets in scope will be eligible for monetary award.

  6. Researchers may not publicly disclose vulnerabilities (sharing any details whatsoever with anyone other than authorised Atmail employees), or otherwise share vulnerabilities with a third party, without Atmail's express written permission.

Violation of any of these rules can result in ineligibility for a bounty and/or removal from the program. Three strikes will earn you a temporary ban. Four strikes means a permanent ban.

Legal Terms

In connection with your participation in this program you agree to comply with Atmail Terms of Service, Atmail’s Privacy Policy (both available for viewing and download here, and all applicable laws and regulations, including any laws or regulations governing privacy or the lawful processing of data.

Atmail reserves the right to change or modify the terms of this program at any time. You may not participate in this program if you are a resident or individual located within a country appearing on any U.S. sanctions lists (such as the lists administered by the US Department of the Treasury’s OFAC), the Australian sanctions lists (such as the Consolidated List published by the Australian Department of Foreign Affairs and Trade) or the E.U. Sanctions Map (as published by the European Union).

Atmail does not give permission/authorisation (either implied or explicit) to an individual or group of individuals to (1) extract personal information or content of Atmail customers and/or their users or to publish this information on the open, public-facing internet without user consent or (2) modify or corrupt programs or data belonging to Atmail in order to extract and publicly disclose data belonging to Atmail.

Atmail employees (including former employees that separated from Atmail within the prior 12 months), contingent workers, contractors and their personnel, and consultants, as well as their immediate family members and persons living in the same household, are not eligible to receive bounties or rewards of any kind under any Atmail programs, whether hosted by Atmail or any third party.

Safe Harbour

Atmail will not initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability if the researcher fully complies with this Policy.

Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorise security research in the name of other entities. If legal action is initiated by a third party against you and you have complied with this Policy, we will take reasonable steps to make it known that your actions were conducted in compliance with this Policy.

You are expected, as always, to comply with all applicable laws and regulations.

Please submit a report to Atmail before engaging in conduct that may be inconsistent with or unaddressed by this Policy.

Responsible Disclosure of Vulnerabilities

We are continuously working to evolve our bug bounty program. We aim to respond to incoming submissions as quickly as possible and make every effort to have bugs fixed within 90 days of being triaged.

The latest version of all currently supported products and services provided by Atmail are included in our bug bounty program. Please review the program scope before submitting a report. Private scope is accessible to invited researchers only.

Testing

Web traffic to and from Atmail and our hosting partners produces very large amounts of data every day. When testing, you can make it easier for us to identify your testing traffic against our normal data and the malicious actors out in the world. Please do the following when participating in Atmail bug bounty programs:

  • Where possible, register accounts using your primary email address used to contact Atmail.

  • Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.

  • Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily.

IdentifierFormatExample
Your UsernameX-Bug-Bounty:X-Bug-Bounty: [email protected]
Unique IdentifierX-Bug-Bounty:uuidX-Bug-Bounty: 17a3c1db-8d05-49fa-ae76-a7a5ce15f464
Tool IdentifierX-Bug-Bounty:-version-X-Bug-Bounty: BurpSuitePro-version-2020.1

When testing for a bug, please also keep in mind:

  • Only use authorised accounts so as not to inadvertently compromise the privacy of our users

  • When attempting to demonstrate root permissions with the following primitives in a vulnerable process please provide the following:

    • Read: The contents of the file /proc/1/maps, or any other such sensitive file that you deem demonstrates the vulnerability

    • Write: Create or modify the file (including metadata such as creation/modification times) /root/<your username>*or a location you can write to whilst maintaining compliance with this policy

    • Executeidhostnamepwd (or any other shell level command that you deem demonstrates a vulnerability)

  • Minimise the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.

  • Before causing damage or potential damage: Stop, report what you've found and request additional testing permission.

Crafting a Report

If our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:

  1. Description of the vulnerability

  2. Steps to reproduce the reported vulnerability

  3. Proof of exploitability (e.g. screenshot, video)

  4. Perceived impact to another user or the organization

  5. Proposed CVSSv3 Vector & Score (without environmental and temporal modifiers)

  6. List of URLs and affected parameters

  7. Other vulnerable URLs, additional payloads, Proof-of-Concept code

  8. Browser, OS and/or app version used during testing

Note: Failure to adhere to these minimum requirements may result in the loss of a reward.

All supporting evidence and other attachments must be stored only within the report you submit. Do not host any files on external services. Please submit all security reports as an email, with attachments, to [email protected]

Program Scope

Vulnerabilities on a specific web sites or services should be reported if it is listed as “in scope”. Please see our detailed scope list at the bottom of this page for a full list of assets that are in scope of this program. This list is subject to change without notice.

If you’ve found a vulnerability that affects an asset belonging to Atmail, but is not included as in scope on any of the Atmail programs, please report it to [email protected]

Rewards

You will be eligible for a bounty only if you are the first person to disclose an unknown issue. Qualifying bugs will be rewarded based on severity, to be determined by Atmail in its sole discretion. Rewards are granted entirely at the discretion of Atmail, and will be paid within 30 days after Atmail awards the bounty to the researcher.

At Atmail's discretion, providing more complete research, proof-of-concept code and detailed write-ups may increase the bounty awarded. Conversely, Atmail may pay less for vulnerabilities that require complex or over-complicated interactions or for which the impact or security risk is negligible. Rewards may be denied if there is evidence of program policy violations. No bounty will be awarded for reports that impersonate an apparent vulnerability. Reports in third party software may not be eligible for bounties at Atmail’s discretion.

Payout Table

Where a monetary bounty is presented, eligible reports will be awarded based on severity after identifying final impact, as determined by Atmail.

SeverityPayout (USD)
Critical$5,000
High$2,000
Medium$500
Low$50
Informative$0

Valued Vulnerabilities

All reports will be awarded based on the Common Weakness Enumeration classification. This table provides the CWEs that we will accept, the severity ranges we will classify reports within for the CWE, and some examples of common vulnerability and attack names that we classify within each CWE that we will accept. This table serves only as a guide and the severity classification of a particular vulnerability will be determined by Atmail in its sole discretion.

Note: Non-listed vulnerabilities may also be eligible. Some vulnerability types may fall under a variety of severity ratings determined by scope/scale of exploitation and impact.

Severity (Low)Severity (High)CWE-IDCommon Weakness EnumerationBug Examples
CriticalCriticalCWE-78OS Command InjectionRemote Code Execution; Code Injection; LDAP Injection
CriticalCriticalCWE-120Classic Buffer OverflowBuffer Overflow
HighCriticalCWE-89SQL InjectionSQL Injection
MediumCriticalCWE-918Server-Side Request ForgerySSRF (unrestricted); Content-Restricted SSRF; Error-based SSRF (true/false); Blind SSRF
HighCriticalCWE-732Incorrect Permission Assignment for Critical ResourceIDOR; Horizontal Privilege Escalation; Vertical Privilege Escalation
CriticalCriticalCWE-91XML InjectionXML Injection
CriticalCriticalCWE-611Improper Restriction of XML External Entity ReferenceXXE
HighCriticalCWE-134Uncontrolled Format StringInsecure Deserialisation
HighCriticalCWE-250Execution with Unnecessary PrivilegesPrivilege Escalation to System Account
MediumHighCWE-444Inconsistent Interpretation of
HTTP Requests
HTTP Request Smuggling
LowCriticalCWE-829Inclusion of Functionality from Untrusted Control SphereServer Side Includes Injection; Local File Inclusion; Directory Traversal
MediumHighCWE-306Missing Authentication for Critical FunctionExposed Administrative Interface
MediumCriticalCWE-862Missing AuthorisationHorizontal Privilege Escalation; Vertical Privilege Escalation; IDOR
LowCriticalCWE-200Information ExposureUser Enumeration with PII; Credentials on GitHub; Confidential Information Exposure
InformativeHighCWE-863Incorrect AuthorisationAuthorisation Bypass; Account Takeover; Social Media Takeover (Brand, <12mo); Social Media Takeover (Personal); Social Media Takeover (Brand, >12mo)
MediumHighCWE-798Use of Hard Coded CredentialsHard Coded Credentials
MediumHighCWE-434Unrestricted Upload of File with Dangerous TypeUnfiltered File Upload
LowHighCWE-203Information Exposure Through DiscrepancyPHP Admin Information page; MySQL Information page (w/ credentials); Apache Status page
MediumMediumCWE-494Download of Code Without Integrity CheckS3 Bucket Upload
LowMediumCWE-311Missing Encryption of Sensitive DataCleartext Submission of Passwords
LowMediumCWE-807Reliance on Untrusted Inputs in a Security Decision
LowMediumCWE-79Cross-Site ScriptingStored XSS; POST-Based XSS; GET-Based XSS; DOM-Based XSS; CSS Injection
MediumMediumCWE-352Cross-Site Request ForgeryState-Changing CSRF; Non-State-Changing CSRF
LowMediumCWE-16MisconfigurationSubdomain Takeover; Dangling DNS Record
MediumMediumCWE-93CRLF InjectionCRLF Injection
LowLowCWE-601Open RedirectOpen Redirect
InformativeLowCWE-327Use of a Broken or Risky Cryptographic AlgorithmWeak CAPTCHA
InformativeLowCWE-307Improper Restriction of Excessive Authentication AttemptsLack of Rate Limiting on Login; CAPTCHA Bypass

Borderline Out-of-Scope, No Bounty

These issues are eligible for submission, but not eligible for bounty or any award. Once triaged, they will be closed as Informative only if found to be valid or Spam if found to be not valid. When reporting vulnerabilities, please consider (1) attack scenario/exploitability and (2) security impact of the bug.

Note: 0-day vulnerabilities may be reported 30 days after initial publication. We have a team dedicated to tracking these issues; hosts identified by this team and internally ticketed will not be eligible for bounty.

Any non-Atmail Applications"Self" XSS
Missing Security Best PracticesHTTP Host Header XSS
Confidential Information LeakageClickjacking/UI Redressing
Use of known-vulnerable library (without proof of exploitability)Intentional Open Redirects
Missing cookie flagsReflected file download
SSL/TLS Best PracticesIncomplete/Missing SPF/DKIM/DMARC
Physical attacksSocial Engineering attacks
Results of automated scannersLogin/Logout/Unauthenticated CSRF
Autocomplete attribute on web formsUsing unreported vulnerabilities
"Self" exploitationIssues related to networking protocols
Flash-based XSSSoftware Version Disclosure
Verbose error pages (without proof of exploitability)Denial of Service attacks
Atmail software that is End of Life or no longer supportedAccount/email Enumeration
Missing Security HTTP Headers (without proof of exploitability)Internal pivoting, scanning, exploiting, or exfiltrating data

Do Not Report

The following issues are considered out of scope:

  • Those that resolve to third-party services

  • Issues that we are already aware of or have been previously reported

  • Issues that require unlikely user interaction

  • Disclosure of information that does not present a significant risk

  • Cross-site Request Forgery with minimal security impact

  • CSV injection

  • General best practice concerns

  • All Flash-related bugs

Special Situations

Same Bug, Different Host

For each report, please allow Atmail sufficient time to patch other host instances. If you find the same bug on a different (unique) host, prior to the report reaching a triaged state, file it within the existing report to receive an additional 5% bonus (per host, not domain). Any reports filed separately, while we are actively working to resolve the issue, will be treated as a duplicate.

Same Payload, Different Parameter

In some cases, rewards may be consolidated into a single payout. For example, multiple reports of the same vulnerability across different parameters of a resource, or demonstrations of multiple attack vectors against a fundamental framework issue. We kindly ask you to consolidate reports rather than separate them.

In Scope

Domain*.atmail.comCriticalEligible
Domain*.atmailcloud.comCriticalEligible
Source codeAll Atmail code shipped with it’s product, both source and binaries (in binary form) as supplied.

Only the latest versions of the currently shipped and supported products are in scope.
CriticalEligible
ServiceAll Atmail Hosted services, both public and private cloud installations.CriticalEligible
ServiceAll Atmail supplied customer service portals, third-party components excluded.CriticalEligible

Out of Scope

OtherAll third party services associated with Atmail services.

Questions

Any questions about Atmail's Bug Bounty Program can be directed to [email protected] Thank you.