Vulnerability Disclosure Program


In order to qualify, the vulnerability must exist in the latest public release (including officially released public betas) of the software. Only security vulnerabilities will qualify. We would love it if people reported other bugs via the appropriate channels, but since the purpose of this program is to fix security vulnerabilities, only bugs that lead to security vulnerabilities will be eligible for rewards. Other bugs will be accepted at our discretion.


Please adhere to the following guidelines in order to be eligible for rewards under this disclosure program:



- Can use any email account to test the app


- Authentication Protocol Vulnerabilities (For e.g. OAuth Implementation Flaws)
- Discover vulerability and potential user data exposure on backend service
- Discover vulerability on unsollecited access to mailboxes
- Discover vulerability of potential automation procedure
- Discover vulerability of service endpoints
- If you encounter any of the below on our systems while testing within the scope of this policy, stop your test and notify us immediately:
- Personally identifiable information


- Do not perform DoS or DDoS attacks.
- Do not in any way attack our end users, or engage in the trade of stolen user credentials.
- Spam (including issues related to SPF/DKIM/DMARC)
- Attacks requiring physical access to a user's device
- User data stored unencrypted on the file system on rooted devices
- User interface bugs or typos.
- website issues.

In addition, please allow Airmail at least 90 days to fix the vulnerability before publicly discussing or blogging about it. Airmail believes that security researchers have a First Amendment right to report their research and that disclosure is highly beneficial, and understands that it is a highly subjective question of when and how to hold back details to mitigate the risk that vulnerability information will be misused. If you believe that earlier disclosure is necessary, please let us know so that we can begin a conversation.


Just as important as discovering security flaws is reporting the findings so that users can protect themselves and vendors can repair their products.
Public disclosure of security information enables informed consumer choice and inspires vendors to be truthful about flaws, repair vulnerabilities, and build more secure products.

Disclosure and peer review advances the state of the art in security.
Researchers can figure out where new technologies need to be developed, and the information can help policymakers understand where problems tend to occur.
On the other hand, vulnerability information can give attackers who were not otherwise sophisticated enough to find the problem on their own the very information they need to exploit a security hole in a computer or system and cause harm. Therefore we ask that you privately report the vulnerability to Airmail before public disclosure.
Send an email to with information about the vulnerability and detailed steps on how to replicate it. Submissions that include detailed information on how to fix the corresponding vulnerability are more likely to receive more valuable rewards. We are also happy to accept anonymous vulnerability reports, but of course we can't send you our thanks if you report a vulnerability anonymously.

We will make every effort to respond to valid reports within seven business days. The validity of a vulnerability will be judged at the sole discretion of Airmail.