Bug Bounty Program

We invite security researchers to investigate potential
vulnerabilities in Atmail, as long as your research
follows this responsible research and disclosure policy.

What you need to do

Avoid harm or risk to Atmail, our users, or third parties.

This is common sense, but guidelines can be found below on what we’re not looking for.

Report through a legitimate channel.

This means through our Bug Bounty Program.

Don’t disclose without our agreement.

Keep information about potential vulnerabilities confidential between yourself and Atmail until Atmail has verified the vulnerability, and has then had at least 90 days to resolve it.

What you can't do

No privacy violations.

Respect privacy by only using accounts you have created.

Nothing that degrades our service.

Examples include Denial of Service and modifying configurations. Instead, show deficiencies in any rate limiting through a well targeted test.

No deletion or damage of resources.

Instead, limit damage to resources you create or own.

No creation or sharing of inappropriate content.

Keep any content you generate (as part of a proof-of-concept) simple and respectful of others.

No lasting harm.

Avoid leaving persistent payloads, XSS or the like behind you. Instead, use non-harmful payloads, track what you do, limit who is exposed as much as possible, and clean up!

No targeting our staff, investors or physical environment.

This includes spear phishing and physical testing.

Our commitment

If you follow these guidelines, we commit to:

  • Not pursuing or supporting legal action related to your research;
  • Working with you to understand issues, and resolve them if Atmail considers it necessary; and
  • Taking steps to make it known that your actions were conducted in compliance with these guidelines (if a third-party initiates legal action against you, in connection with activities in our program’s scope).

Rewards

As part of encouraging security researchers to put our security to the test, we offer a variety of rewards for doing so if:

  • The reported vulnerability is verifiable;
  • It hasn't been reported already; and
  • You've conducted your activities in a manner consistent with our guidelines.

Rewards are provided at Atmail's discretion, based on the severity of the bug and the quality of the report.

Play by the rules

Play by the rules

By submitting reports or otherwise participating in this program, you agree that you have read and will follow the Program Rules and Legal Terms sections of our full Bug Bounty Program Policy.

Violation of any of these rules can result in ineligibility for a bounty and/or removal from the program. Three strikes will earn you a temporary ban. Four strikes will give you a permanent ban.

Report a vulnerability

Report a vulnerability

Please submit all security reports via email (with attachments) to [email protected]. All supporting evidence and other attachments must be stored only within the report you submit. Do not host any files on external services.

Any questions about Atmail’s Bug Bounty Program can be directed to [email protected].

Ready to submit?

Submit now