What is a bug bounty programme?
We are responsible for protecting access to our customer's emails, and all the sensitive information they contain.
As a team, we are security-first in our decisions: every architectural choice and feature proposal is considered from the beginning in the context of how it impacts data protection.
In pursuit of this goal, we acknowledge the underlying truth: you can diligently lock a million doors that you know about, but if there's just one you don't know about, someone will find it.
The Bug Bounty programme is our commitment to rewarding the security community in helping us achieve this goal, by using their expertise - and by dint of their sheer numerical volume that becomes expertise in every conceivable niche - to find any unknown open doors in our systems and close them, before any malicious agents do.
Targets
ActiveInbox primarily keeps most data within the browser extension, with only limited data synced to our server. Please see the Network Diagram and Data Storage Locations.
Restrictions
- No automatic scanning
- No DoS
- Attacks via locally installed malware must have a viable distribution mechanism, not protected against by anti-virus/malware
Rewards
| Severity | Reward |
|---|---|
| Major | $1k |
| Significant | $400 |
| Minor | $100 |
| Negligible | $10 |
Examples of Severity
The most important consideration is the data. Data is classified for Severity in the Privacy Data Record.
In addition, you might also consider:
| Vulnerability | Severity |
|---|---|
| Shell access to our server systems | Major |
| SQL Injection | Minimal (unless it affects data in the Data Record, for which that designation takes priority) |
| Working XSS/CSRF/SSRF | Minimal if it affects multiple users; Negligible if just single user (unless it affects data in the Data Record, for which that designation takes priority) |
If in doubt, we base all payouts on impact (ie what can actually be done with the vulnerability and what is the consequence to the user, or ActiveInbox as a viable service provider).
Exclusions
- HTTP 404 or <200 codes
- Disclosure of known public files or directories, (e.g. robots.txt)
- Clickjacking and issues only exploitable through clickjacking
- CSRF on forms that are available to anonymous users (e.g. login or contact form), or logout
- Error messages with non-sensitive data
- blog.activeinboxhq.com (hosted by Wordpress.com)
Report Criteria
- Business Impact - how it affects ActiveInbox
- Steps to reproduce
- Visual evidence (screenshot, attached files)
- Likelihood of Discovery, and subsequent Exploitation
Please submit the report to [email protected], from where we'll reply as quickly as possible.