SimpleLogin bug bounty program

October 5, 2022 · written by Author Image Son

SimpleLogin makes it easy for you to generate an anonymous email alias anytime you don’t want to share your real email address. As a service to protect your email address, we focused a great deal on security and privacy when we built SimpleLogin. Recently, we asked Securitum, a leading European cybersecurity firm, to run a security audit on SimpleLogin apps and the result was positive overall. Today, we’re taking the step in improving our security and launching a bug bounty program.

SimpleLogin has been open source since we began, and we’ve received multiple contributions from our community that have strengthened all aspects of our service. This bug bounty program provides our community another way to participate in our development, and extends the work that we already do on a daily basis to keep our service safe. With SimpleLogin joining Proton, the Swiss company best known for Proton Mail and Proton VPN, we decided to use the same bug bounty model it has successfully run since 2015.

We invite all security experts worldwide to participate in our bug bounty program and try to find weaknesses within SimpleLogin. We will pay rewards (bounties) for security issues that are reported to us through this program and that we judge to be worthy. If you are a security researcher, you can also participate in the Proton bug bounty program.

Rules

Scope: The program is limited to the web application, web extension, and mobile applications run by SimpleLogin. Our profiles on Reddit, Twitter, Linkedin, Facebook, etc., do not qualify. Qualifying sites include:

Judging: The judging panel to determine awards consists of SimpleLogin and Proton developers assisted by one or more outside experts who are part of our security group. Program participants agree to respect the final decision made by the judges.

Responsible disclosure: We request that all vulnerabilities be reported to us at security@proton.me. We believe it is against the spirit of this program to disclose any flaw to third parties for purposes other than actually fixing the bug. Participants agree not to disclose bugs found until they have been fixed and to coordinate disclosure with our team through our release notes to avoid confusion.

Responsible testing: Please do not spam users, leverage black hat SEO techniques, run phishing campaigns, or do other similarly questionable things. We also discourage vulnerability testing that degrades the quality of service for our users. If in doubt, feel free to contact our Security Team at security@proton.me.

Adherence to rules: By participating in this program, you agree to adhere to the above rules and conditions. All rules must be followed to be eligible for awards.

Qualifying vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be within this program’s scope. This includes, but is not limited to:

Web applications

Server

Mobile

We believe in working closely with security researchers and are willing to share technical details, such as API specifications or infrastructure details, with selected researchers to improve security for all SimpleLogin users. Please contact security@proton.me for more details.

Qualifying improvements

Sometimes we award bounties for suggestions for improvement that don’t fall into the above categories. This is determined on a case-by-case basis by our judging panel. These include things such as:

Non-qualifying vulnerabilities

Reward Amounts

The size of the bounty we pay is determined on a case-by-case basis and largely depends on the severity of the issue. To be awarded a bounty, you usually need to be the first person to report an issue, although we sometimes make exceptions. Rough bounty guidelines are provided below:

Minor server and app vulnerabilities that do not compromise user data or privacy: $50

Vulnerabilities that can lead to data corruption: $200

Vulnerabilities that can lead to the disclosure of user data or jeopardize user privacy: $1,000+

Maximum bounty: $10,000