Bug Bounty

What is a bug bounty programme?

We are responsible for protecting access to our customer's emails, and all the sensitive information they contain.

As a team, we are security-first in our decisions: every architectural choice and feature proposal is considered from the beginning in the context of how it impacts data protection.

In pursuit of this goal, we acknowledge the underlying truth: you can diligently lock a million doors that you know about, but if there's just one you don't know about, someone will find it.

The Bug Bounty programme is our commitment to rewarding the security community in helping us achieve this goal, by using their expertise - and by dint of their sheer numerical volume that becomes expertise in every conceivable niche - to find any unknown open doors in our systems and close them, before any malicious agents do.


ActiveInbox primarily keeps most data within the browser extension, with only limited data synced to our server. Please see the Network Diagram and Data Storage Locations.



Severity Reward
Major $1k
Significant $400
Minor $100
Negligible $10

Examples of Severity

The most important consideration is the data. Data is classified for Severity in the Privacy Data Record.

In addition, you might also consider:

Vulnerability Severity
Shell access to our server systems Major
SQL Injection Minimal (unless it affects data in the Data Record, for which that designation takes priority)
Working XSS/CSRF/SSRF Minimal if it affects multiple users; Negligible if just single user (unless it affects data in the Data Record, for which that designation takes priority)

If in doubt, we base all payouts on impact (ie what can actually be done with the vulnerability and what is the consequence to the user, or ActiveInbox as a viable service provider).


Report Criteria

Please submit the report to [email protected], from where we'll reply as quickly as possible.