ETHERMAIL BUG BOUNTY PROGRAM

About the Program

EtherMail GmbH (“Ethermail” or the “Company”) commits to keep user’s data safe and wants to provide a secure environment for them. We also strongly believe in the value of security professionals and developers assisting in keeping and improving our products and users' security. For this reason, we decided to launch our Ethermail bug bounty program (the “Bug Bounty Program” or the “Program”) as a discretionary rewards program for the Ethermail community to encourage and reward those who are reporting potential vulnerabilities in our systems.

Note : This Program is for the disclosure of software security vulnerabilities only. If you believe your Ethermail Account has been compromised, please immediately contact our support team: support@ethersuite.io

The following Program description outlines eligibility and scope, how to report vulnerabilities, and other important terms under which Ethermail will grant you (the “Bug Hunter”) a Reward exclusively circumscribed to the detection and disclosure of vulnerabilities. Please read them carefully. If you believe you've found a vulnerability in our product or service, we encourage you to notify us.

Eligibility

We are happy to thank everyone who submits valid vulnerability reports which help us improve our security. However, only those that meet the following eligibility requirements set forth below ('Eligible Reports'), may receive a monetary Reward:

- You must be the first reporter of a vulnerability;

- The vulnerability must qualify as a current and/or potential security issue or vulnerability detected regarding 'ethermail.io' (the “Scope”) that substantially affects or may affect the integrity of the software, the platform, the Company and/or any of its users and their personal accounts (the “Vulnerability”);

- Any Vulnerability found must be reported no later than 24 hours after its discovery through
bug-bounty@ethersuite.io

- You must send clear description of the Vulnerability and the products, features which may be impacted; and an explanation on how to fix the Vulnerability alongside with a step-by-step instruction of how to reproduce the issue detected, including attachments such as screenshots or proof of concept (POC) code as necessary;

- You must not be a former or current employee of us or one of its contractors

The more details provided in the report, the higher the Reward obtained may be, as further described in the Rewards section below. Failure to include sufficient detail (such as POC code) may result in your report not being eligible.

Rules

By participating in this Program, the Company agrees to award monetary Rewards (as described below) to the Bug Hunters for Eligible Reports submitted in compliance with the terms of this Program.

While reporting any kind of Vulnerability and by participating in this Program you expressly agree:

  • To comply with these Terms;
  • To follow these industry standard disclosure guidelines
  • To avoid using web application scanners for automatic vulnerability searching which generates massive traffic;
  • To refrain from spam forms or account creation flows using automated scanners;
  • To make every effort not to damage or restrict the availability of products, services or infrastructure;
  • To refrain from use any Vulnerabilities you may find against any of the users of the Company, especially if you do not have their express permission;
  • To avoid intentionally degrading our users' experience;
  • Not to access, modify delete or store user data;
  • Not to exploit financial Vulnerabilities beyond what is required to prove its existence;
  • Not to violate any applicable law or regulation, including laws prohibiting unauthorized access to information;
  • To report Vulnerabilities with no conditions, demands, or ransom threats. Bug Hunters that engage in extortion attempts will be banned from the Program and reported to law enforcement;
  • That you must not be or otherwise have a direct relationship (such as family, cohabitation, etc.) with a former or current employee of us or one of our contractors;
  • That you must not have written the buggy code or otherwise been involved in contributing the buggy code to the project;
  • That you must be old enough to be eligible to participate in and receive payment from this program in your jurisdiction, or otherwise qualify to receive payment, whether through consent from your parent or guardian or some other way.

In Scope

  • ethermail

Out of Scope / Non-Qualifying Vulnerabilities

  • Click jacking on static websites or pages with no sensitive actions
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
  • Login/logout CSRF)
  • Attacks requiring MITM or physical access to a user's device
  • Previously known vulnerable libraries without a working Proof of Concept
  • Missing best practices in SSL/TLS configuration
  • Missing security headers which do not lead directly to a vulnerability
  • Any activity that could lead to the disruption of our service (DoS)
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Rate limiting or bruteforce issues on non-authentication endpoints
  • Missing best practices in Content Security Policy
  • Missing HttpOnly or Secure flags on cookies
  • Vulnerabilities affecting users of outdated or unpatched browsers and platforms
  • Tab nabbing
  • Open redirect - unless an additional security impact can be demonstrated
  • Issues that require unlikely user interaction
  • Issues related to software outside EtherMail control
  • Use of a known-vulnerable library (without evidence of exploitability)
  • Reports from automated tools or scans (without validation of vulnerability)
  • Single-user vulnerabilities that require jailbroken or otherwise non-standard hardware
  • Mixed Content Scripts
  • Disclosure of known public files or directories, (e.g. robots.txt)
  • Self Cross Site Scripting (Self-XSS)

Submitting a Bounty

To submit a bounty please summarize your findings using the disclosure guidelines linked above in an email to
bug-bounty@ethersuite.io

Rewards

The economic terms of the rewards for the detection and disclosure of Vulnerabilities (the “Rewards”) shall be determined and defined by the Company, at its discretion, based on the criteria set forth below, and may be adjusted, as it deems appropriate, from time to time, during the term of the Bug Bounty Program. The value of rewards paid out will vary depending on Severity. Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.

In addition to the Severity of the Vulnerability, the Reward amount shall also be determined taking into account a range of factors for Eligible Reports, which include but are not limited to the following:

- Quality of description: Eligible Reports that are clearly described and well-written submissions;

- Quality of reproduction: Eligible Reports that include a clear proof of concept or specific step-by-step instructions to replicate the vulnerability are considerable more effective at communicating a Bug Hunters findings and are therefore far more likely to be deemed valid. The easier it is for us to reproduce and verify the vulnerability detected by you, the higher the Reward will be;

- Quality of fix (if included) : Higher Rewards will be paid to those submissions which include clear descriptions of how to fix the vulnerability detected.

Confidentiality

This Program is aimed to help the Company detect and solve Vulnerabilities in its systems. As such, you undertake not to disclose any information regarding the Vulnerability detected, whether resolved or not, nor any other information about the Company or the software which you may have access to, to the public and/or any third parties, without the previous express written consent of the Company, and for a minimum term of ninety (90) days following the day that your report is received by the Company, so that the Company has enough time to assess and remediate the underlying Vulnerabilities prior to any public disclosure. In case any disclosure is made during the referred 90 day period, the Bug Hunter will lose any right to receive a Reward under this Program.

Intellectual Property and acknowledgement

By submitting your report to the Company, you agree that we may take all steps needed to validate, mitigate, and disclose the Vulnerability, and that you grant us all intellectual property rights to your submission needed to do so.

Any patches must be offered under the same license as the repository they affect.

Important Legal Information

Please note the following additional important information when participating in the Program:

- The Bug Bounty Program is a discretionary rewards program for the EtherMail community to encourage and reward those who are helping to improve the Platform. It is not a competition but rather an experimental and discretionary rewards program. The Company may modify and/or cancel the Program at any time.

- You acknowledge that we may not be able to pay Rewards to those individuals who are in jurisdictions which are on European or US sanctions lists. In addition, payment of Rewards may also be restricted, limited or otherwise subject to your applicable local laws.

- We make no representations as to any tax liability as a result of the Reward received under this Program. you are solely responsible for any tax incurred as a result of your participation in the Program.

- In no event, your participation under this Program shall be presumed and/or considered as a services and/or employment relationship with the Company.