The FlowCrypt bug bounty program aims to strengthen the privacy protections of our products via open collaboration with security researches. We believe in clear communication via well defined scope, logically organized vulnerability categories, and fair rewards. With that in mind, we’ve outlined the scope, acceptable vulnerabilities, and rewards for our bug bounty program below.
How to submit a report
To submit a report, or even just reach out with questions and concerns, let us the security team know at firstname.lastname@example.org (the public key for this address can be found on FlowCrypt’s Attester at https://email@example.com?show=pubkey, and the fingerprint is
8A03 0BAB 42CA D97F F26A A25E 283D DD9A 77AD 6AF2).
The report should include your PayPal account (for payment) and steps we can follow to reproduce the bug, with as much detail as possible. Examples of practical scenarios in which the bug could be used maliciously, as well as suggestions for common mitigations, are both appreciated but not mandatory.
|Encrypted Contact Page||flowcrypt.com/me/[user]||https://github.com/flowcrypt/flowcrypt-web|
|FlowCrypt Account Settings||flowcrypt.com/account||https://github.com/flowcrypt/flowcrypt-web|
Denial of Service against an individual user is in scope, but please contact us before implementing a Proof-of-Concept for any DoS that involves server-side software or which might impact accounts that you do not control.
Out of scope:
- Denial of service against public FlowCrypt services (if you think you have found a DoS vulnerability, contact us and we can help you test it safely)
- The ability of users to take manual screenshots on the mobile application is not considered a vulnerability
- StrandHogg 1.0 and 2.0 vulnerabilities are out of scope for the Android app
Altering, accessing, or obtaining private information from live accounts you do not control is disallowed. These vulnerabilities are in scope, but they should only be performed against test accounts you control.
Phishing and pure social engineering attacks are out of scope, unless there is a clear way we could change our system to mitigate the potential for such an attack, in which case we will determine on a case-by-case basis.
If these restrictions limit you from performing a test or developing a proof of concept, please contact us and we will try to provide a means to safely test the bug.
The categories below describe broad ranges, but the specific reward is narrowed down based on the following factors:
- Severity of impact on affected users
- Quantity of affected users
In other words, we prioritize bugs that could feasibly impact a large number of users, and that is reflected in our rewards system. Nevertheless, we are happy to fix any security bug, and encourage smaller reports as well.
Access to highly sensitive user information or account takeover without user interaction To be eligible for this reward bracket, you’d be able to acquire password hashes, private keys, or other sensitive user information, or simply takeover user accounts, all without requiring interaction from the target (this excludes phishing or clicking an attacker supplied link, etc). €1000-€5000
High-to-medium impact vulnerabilities exploitable only with user complicity Bugs in this category have a vulnerability that does have some impact, but can’t be accomplished without tricking the user into some kind of supporting action. CSRF vulnerabilities, for example, fall into this category. €100-€3000
Security weaknesses with low risk or with unrealistic path to exploitation: We are happy to receive reports of insecure configurations, open ports, or HTML injections without immediately apparent exploit paths. These less severe vulnerabilities are worth fixing, and therefore worth a reward too. €10-€200
Note: If you’ve found a vulnerability that does not fit in any of these categories, we are still glad to hear from you, and will assess and triage the bug to make sure you receive a fair reward.
How you get paid
If you are in Europe we can deposit the reward directly to your bank account. We only need an IBAN as well as your first and last name. If you are outside of Europe, we can pay by PayPal and require the email address associated with your PayPal account.
We move swiftly in responding to reports and triaging bugs, so don’t hesitate to reach out!