Update, March 9th 2021: The security bounty program is temporarily deactivated for now. We won’t be accepting any requests nor paying rewards until this is re-activated. Learn more.
At ImprovMX, the security of our users’ data is a priority. We build our software and infrastructure with this goal in mind. That’s why we decided to welcome your help through our bounty program to put our security to the test!
To take advantage of it, you’ll need to follow a few guidelines:
- Do not disturb the service. Follow the ToS. Avoid automated testing.
- Only test with your data. Do not interact with other accounts.
- If you gain access to our system, report it immediately.
- Do not publish any information regarding the vulnerability until we fixed it.
- We only award one bounty per vulnerability. If we receive multiple reports, the first one will receive the reward.
What we’re looking for
We’re looking for any security exploit. But we’ll be extra generous with:
- Tampering data of other users. For example, this could be sending or receiving on behalf of other users. Please note only proving an account exists isn’t enough.
- Bypassing our API’s security: If you’re able to go a lot beyond your quota of domains, aliases or sent emails per day or avoid authentication altogether.
- Getting access to our email firehose servers, queue management or analytics
- Cross-site scripting (XSS)
- Server-side code execution
Please keep in mind this bounty program doesn’t concern regular bugs in our application, but only security flaws allowing intruders to gain access to data of other users. If you wish to report a regular bug, contact email@example.com.
Examples of Non-Qualifying exploits
Some exploits are excluded from our compensation scheme, including:
- Mixed-content scripts
- Social engineering
- Failures to adhere to “best practices” (for example, common HTTP headers, link expiration, email-validation or password policy)
- Issues applying to our non-official domains and sub-domains.
- Issues related to someone taking over another authentication method not related to ImprovMX (computer left unattented, 2FA invalidation, etc..)
Examples of Non-Qualifying reports
These are theoretical vulnerabilities we’re aware of, but we decided they didn’t present any risk in our case:
- Non-expiring session cookie: ImprovMX is protected through the use of HTTPS and our inclusion in the HSTS preload list of major browsers.
- Getting device or location information from a team member.
- Ability to tamper with our phishing and spam protection. This is tricky, and we can’t unfortunately catch everything. Those exploits won’t be rewarded, unless they are part of a bigger structural issue.
Our reward system is flexible and doesn’t have any strict upper or lower limit. This means particularly creative or severe bugs will be rewarded accordingly. The amount will exclusively depend on the severity of the vulnerability.
Rewards will be sent using Paypal once the vulnerability has been fixed. These services collect a fee for processing the transaction, which gets deducted from the amount awarded. Please note that you are responsible for paying the proper amount of taxes in your country on the amount you are getting compensated.
As of March 9th 2021, our bug bounty is temporarily closed for submissions as we investigate a way to trim down on the behavior of certain actors reporting non-qualifying exploits and bugging the team about getting a payment.
If you have any questions regarding the program or why we decided to put it on hold, please contact us at firstname.lastname@example.org.
Hall of fame
As of today, we sent a total of $1,050 USD.
- Rate-limiting issue reported by Shobhit Mehta on November 10, 2020
- Click-jacking issue, reported by Akshay Bokhare’ on November 21, 2020
- Rate-limiting bypassing issue, reported by Ronit Bhatt on December 8, 2020
- Session invalidation, reported by Kunal Mishrai on December 10, 2020
- Misc issue, reported by Sanem Sudheendra on January 4, 2021