| Prerequisites |
|---|
| Read about the fixed vulnerabilities in FlowCrypt products. |
The FlowCrypt bug bounty program aims to strengthen the privacy protections of our products through open collaboration with security researchers. We prioritize clear communication by establishing well-defined scopes, logically organized vulnerability categories, and fair rewards. With that in mind, we’ve outlined the scope, acceptable vulnerabilities, and rewards for our bug bounty program below.
How to submit a report
To submit a report, or even just reach out with questions and concerns, let the security team know at security@flowcrypt.com. The public key for this address can be found online on FlowCrypt’s Attester public key store. The fingerprint is 8A03 0BAB 42CA D97F F26A A25E 283D DD9A 77AD 6AF2.
The report should include your PayPal account for payment and steps we can follow to reproduce the bug. Please provide as much detail as possible. While it’s not mandatory, it would be appreciated if practical scenarios were included where the bug could be used maliciously, as well as suggestions for common mitigations.
Scope
In scope:
| Target | Site | Source Code |
|---|---|---|
| Browser Extension | flowcrypt-browser | |
| Android App | flowcrypt-android | |
| iOS App | flowcrypt-ios | |
| PGPainless Library | pgpainless | |
| Encrypted Contact Page | flowcrypt.com/me/[user] |
flowcrypt-web (private repo) |
| FlowCrypt Account Settings | flowcrypt.com/account |
flowcrypt-web (private repo) |
| FlowCrypt Attester | flowcrypt.com/attester/ |
flowcrypt-attester (private repo) |
| Backend API | flowcrypt.com/api/ |
flowcrypt-backend (private repo) |
Altering, accessing, or obtaining private information from live accounts you don’t control is disallowed. These vulnerabilities are in scope, but they should only be performed against test accounts you control.
Out of scope:
- A DoS attack against public FlowCrypt services. If you think you’ve found a DoS vulnerability, contact us so that we can help you test it safely.
- The ability of users to take manual screenshots on the mobile application isn’t considered a vulnerability.
- StrandHogg 1.0 and 2.0 vulnerabilities are out of scope for the Android app.
- Blind SSRF specifically for WKD requests from client apps that only cause IP/user agent exfiltration.
- Public IP disclosure.
- Account enumeration.
- DNSSEC-related issues.
Phishing and pure social engineering attacks are out of scope, unless there is a clear way we could change our system to mitigate the potential for such an attack. In such cases, we’ll determine on a case-by-case basis.
If these restrictions limit you from performing a test or developing a proof of concept, please contact us at security@flowcrypt.com, and we’ll try to provide a safe way to test the bug.
Known Limitations
In addition to out-of-scope domains, there are also certain traits of FlowCrypt that may seem relevant from a security standpoint, but we find them acceptable and won’t offer a reward for them. Currently, these include:
- Users can delete their account and recreate it to begin another free trial ad infinitum.
- The Encrypted Contact Page lets senders put any Reply-To address they wish.
- We advertise a 25MB limit for encrypted attachments. However, the actual technical limit is close to 50MB. This is because the files become larger after encryption.
- Unrestricted file upload on the Encrypted Contact Page or Secure Compose.
- Mobile SSL Pinning.
- Reusable
auth_id_tokensession cookie after logout on FlowCrypt Account settings.
Rewards
The categories below describe broad ranges, but the specific reward is narrowed down based on the following factors:
- Severity of impact on affected users
- Feasibility
- Quantity of affected users
In other words, we prioritize bugs that could feasibly impact a large number of users, and this is reflected in our rewards system. Nevertheless, we’re happy to fix any security bug and encourage smaller reports as well. Among such bugs are:
-
Access to highly sensitive user information or account takeover without user interaction (EUR 1 000 - EUR 5 000). To be eligible for this reward bracket, you’d be able to acquire password hashes, private keys, or other sensitive user information, or simply takeover user accounts, all without requiring interaction from the target. This excludes phishing or clicking an attacker-supplied link, etc.
-
High-to-medium impact vulnerabilities exploitable only with user complicity (EUR 100 - EUR 3 000). Bugs in this category have a vulnerability that does have some impact, but can’t be accomplished without tricking the user into some kind of supporting action. CSRF vulnerabilities, for example, fall into this category.
-
Security weaknesses with low risk or with an unrealistic path to exploitation (EUR 10 - EUR 200). We’re happy to receive reports of insecure configurations, open ports, or HTML injections without immediately apparent exploit paths. These less severe vulnerabilities are worth fixing, and therefore worth a reward too.
DoS vulnerabilities are evaluated in different ways:
-
DDoS (EUR 10 - EUR 100). Low-impact configurations that we could harden to make us more resistant to DDoS. An example is rate-limiting on resource-intensive actions.
-
DoS (EUR 50 - EUR 1 000). Attacks that can feasibly be accomplished by a single attacker using limited resources.
If you’ve found a vulnerability that doesn’t fit in any of these categories, we’re still glad to hear from you and will assess and triage the bug to make sure you receive a fair reward.
How you get paid
A security vulnerability report validated in a certain month will be paid by the 10th day of the following month.
If you’re in Europe we can deposit the reward directly into your bank account. We only need an IBAN as well as your first and last name.
If you’re located outside of Europe, we can pay by PayPal and will require the email address associated with your account. We may also consider direct bank transfers for payments exceeding EUR 500.
We move swiftly in responding to reports and triaging bugs, so don’t hesitate to reach out!