Thank you for your concern

Keeping customer data safe and secure is a huge responsibility and a top priority. We work hard to protect our subscribers from the latest threats. Your input and feedback on our security is always appreciated.

Reporting security problems

Please report security vulnerabilities via our contact e-mail addresses below. We’ll review your report and get back to you as soon as we can, usually within 72 hours. Please e-mail our Security team if you have questions about the bug bounty program or don’t hear back from us in a timely manner.

For other urgent or sensitive reports, please e-mail our Security team. We’ll respond as soon as we can.

For requests that aren't urgent or sensitive: submit a support request.

For all security reports, please feel free to optionally use our PGP keys available in our security.txt file.

Tracking and disclosing security issues

We work with security researchers to keep up with the state-of-the-art in web security. Have you discovered a web security flaw that might impact our products? Please let us know. If you submit a report, here’s what will happen:

  • We’ll acknowledge your report.
  • We’ll triage your report and determine whether it’s eligible for a bounty.
  • We’ll investigate the issue and determine how it impacts our products. We won’t disclose issues until they’ve been fully investigated and patched, but we’ll work with you to ensure we fully understand severity and impact.
  • Once the issue is resolved, we'll inform you of the result and pay any eligible bounty.

Security

Bounties range from USD $25 to $1,000 and scale according to impact and ingenuity, from an unlikely low-sensitivity XSS to a deep, novel RCE. One per bug; first discovery claims it; ties break toward the best written report.

The following areas are most important to us:

  • Strong auth (sign-in, sessions, OAuth, account recovery)
  • Access control (bypasses, faults, CSRF, etc)
  • Injection prevention (SQL, XSS, method args, etc)

The following areas are considered out of scope and not eligible for a bug bounty:

  • Hyperlink injection on e-mails
  • Rate limiting
  • Best practices concerns (we require evidence of a security vulnerability)
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
  • Race conditions that don't compromise the security of any user or Air Mail
  • Reports about theoretical damage without a real risk
  • The output of automated scanners without explanation
  • CSRF with no security implications (like Login/logout/unauthenticated CSRF)
  • Broken links
  • Missing cookie flags on non-security sensitive cookies
  • Attacks requiring physical access to a user's device
  • Missing security headers not related to a security vulnerability
  • Reports of insecure SSL/TLS ciphers unless you have a working proof of concept
  • Banner grabbing issues to figure out the stack we use or software version disclosure
  • Open ports without a vulnerability
  • Password and account recovery policies, such as reset link expiration or password complexity
  • Disclosure of known public files or directories, (e.g. robots.txt)
  • Reports of spam
  • Username/e-mail address enumeration
  • Presence of autocomplete attribute on web forms
  • DNSSEC and DANE
  • HSTS or CSP headers
  • Host header injection unless you can show how a third-party can exploit it
  • Reflected File Download (RFD)
  • EXIF information not stripped from uploaded images
  • Existing sessions not being invalidated
  • DoS vulnerabilities based on submitting a large payload in an input field and triggering a 500 error
  • DoS vulnerabilities based on unlimited password length (hint: the password length is not unlimited)
  • DoS vulnerabilities based on lack of pagination or lots of user content slowing response times
  • DoS vulnerabilities based on repeated submission of forms
  • Using product features like signup/forgot-password to deliver messages to any e-mail address
  • Typos, content innacuracies, factual issues, or other editorial content errors

The scope of security reporting is also limited to our domain at airmail.news. No other domains are within this scope.

Thanks for working with us

We respect the time and talent that drives new discoveries in web security technology.

Adapted from the Basecamp open-source policies / CC BY 4.0