Responsible Disclosure Program
If you want to disclose a bug or issue, please follow our Responsible Disclosure terms.
We (MailerSend) treat the security of our customers very seriously, which is why we carry out rigorous testing and strive to write secure and clean code. Despite our meticulous testing and thorough QA, sometimes bugs occur.
For this reason, we encourage the community to responsibly disclose any bugs or issues. By reporting any issues to us, you accept these Responsible Disclosure Program terms.
1.1. Do not perform any attack, or DDoS, that could harm the reliability or integrity of our services or data.
1.2. Respect and comply with the law.
1.3. Do not attempt to gain access to another user’s account or data.
1.4. If you interacted with or obtained access to data and/or personal data, you must cease testing and stop any other actions that involve data and/or personal data immediately.
1.5. The reported bug must be original and previously unreported.
1.6. Do not contact the team asking for updates on a reported bug. If the team deems the reported bug worthy, we will respond. Reports that aren’t eligible won’t receive a response.
1.7. You can only access, disclose and report the issues that you tested on your own account(s).
1.8. You can only disclose the issue publicly after it is solved.
1.9. MailerSend reserves the right, at its sole discretion, to decide that the report is invalid for any reason (for instance, the reported bug is already known to us, the issue is not considered to be severe, etc.)
1.10. You cannot contact MailerSend support regarding the responsible disclosure. This will disqualify you from receiving the bug bounty if there is one.
1.11. All participants of the Responsible Disclosure Program are responsible themselves for any tax liability associated with bounty award payments.
2. Reports that won’t be considered eligible:
2.1. Vulnerabilities that do not cause any state changes (e.g. clickjacking that doesn’t do anything);
2.2. Features reported as vulnerabilities;
2.3. Email spoofing due to DMARC or SPF records;
2.4. Bugs that require unlikely user interaction. For example, a cross-site scripting flaw that requires the victim to manually type in an XSS payload into our app and then double-click an error message may not meet the bar;
2.5. Vulnerabilities affecting users of outdated browsers;
2.6. Account brute force;
2.7. Mixed content warnings;
2.8. Error information that cannot be used for direct attack;
2.9. Unverified reports from automated tools or scanners;
2.10. Text typos;
2.11. Password strength reports.
3. How to report:
3.1. Include as much information as you can in clearly-written English. The report should include, but not be limited to:
3.1.1. All steps or actions required to reproduce the exploit of the vulnerability;
3.1.2. Logs and screenshots;
3.1.3. Video demonstration of the bug;
3.1.4. IPs that were used while testing;
3.1.5. Any other supporting evidence.
3.2. All of these things should be reported to firstname.lastname@example.org along with your contact details.
4. Bug bounty reward
4.1. Each bug bounty report will be individually evaluated based on the technical details provided in the report.
4.2. In order to get a reward all criteria listed below must be met:
4.2.1. The reported bug is severe;
4.2.2. You cannot be in violation of any national, state, or local law or other applicable law regulation;
4.2.3. Be at least 15 years of age, or have permission signed by your parents or legal guardians prior to participating in the bug bounty program;
4.2.4. You did not and will not access any personal information that is not your own and/or you do not have a legitimate legal basis to access personal data;
4.2.5. You are not currently nor have been an employee (or outsourced service provider under the service agreement) of MailerSend, or a subsidiary or associated company, within 12 (twelve) months prior to submitting the report.
4.3. The reward may also be transferred to any non-profit organizations, animal shelters, etc. by the choice of the reporter or MailerSend team. Payments are granted solely at the exclusive discretion of the service provider.
4.4. Bounties can be paid via PayPal or wire transfer. If requested to make a payment via wire transfer, you will be required to provide an invoice prior to the transaction. We do not support any other form of payment (e.g. cryptocurrencies, cash, etc.).
5. Miscellaneous provisions
5.1. Please note that if you do not follow the terms of the Responsible Disclosure Program, we may initiate a lawsuit or law enforcement investigation against you.
5.2. We reserve the right to change these terms at any time. If we decide to change this document, we will post changes on this page. All changes are effective immediately upon posting.
5.3. These terms will begin when you disclose the bug or issue to us.