BlueMail Bug Bounty Program
Welcome to the BlueMail Bug Bounty Program!
At BlueMail, we understand the importance of security in our products. We respect and value the contributions of security researchers in helping us maintain the highest standards of security for our users. This program aims to encourage and reward those dedicated individuals who contribute to improving the security of BlueMail.
Program Scope
We are interested in identifying and resolving security vulnerabilities in the BlueMail products to protect our users and their data. Areas of interest include, but are not limited to:
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- SQL Injection
- Authentication or Authorization Flaws
- Remote Code Execution
Out of Scope
To maintain focus and ensure the effectiveness of our program, certain types of reports are considered out of scope, including:
- Descriptive error messages without a direct security impact (e.g., stack traces, application or server errors).
- Clickjacking on pages without sensitive actions.
- Attacks requiring physical access to a user's device.
- Known issues that have already been reported or are in the process of being resolved.
Program Rules
For the safety of our systems and users, and to ensure the effectiveness of your research, please adhere to the following rules:
- Adhere to responsible disclosure guidelines.
- Do not publicly disclose the bug before it is fixed.
- Refrain from any form of interaction with end users.
- Avoid all forms of social engineering and phishing attacks.
- Automated scans and testing, including DoS attacks, are not allowed.
- Physical testing of BlueMail infrastructure or interaction with BlueMail employees is strictly forbidden.
Failure to comply with these rules will result in immediate disqualification from the program.
Eligibility
To qualify for a bounty, you must meet the following criteria:
- Be the first reporter of the issue.
- Provide clear, detailed, and reproducible steps or proof of concept.
- Be available for follow-up and additional information requests by our team.
- Not be a current or former employee of BlueMail or an immediate family member of such an employee.
Reward Structure
BlueMail appreciates your efforts in improving our security posture and offers structured bounties for unique, responsibly disclosed vulnerabilities:
| Severity Level | Reward |
|---|---|
| None | No reward |
| Low | Up to $200 |
| Medium | $200 - $500 |
| High | $500 - $1,000 |
| Critical | $1,000 - $3,000 |
Note: The severity of the issue will be determined by the BlueMail security team based on the impact and exploitability of the vulnerability.
Submission Guidelines
To submit a vulnerability, please follow these guidelines:
- Use the contact form accessible through the button at the bottom of this page for submissions.
- Include a clear and concise description, steps to reproduce the issue, and the potential impact on BlueMail and its users.
- Provide any test accounts, data used, or proof of concept code as needed.
- Each vulnerability should be reported in a separate ticket with a clear title that succinctly describes the issue.
Legal Note
Your research must be conducted responsibly, without violating any laws, damaging data, or interrupting or degrading the BlueMail service. Participants are expected to act in good faith towards our users' privacy and data during their research.
BlueMail reserves the right to determine if the submitted vulnerability is eligible for a reward, and all decisions by the BlueMail Bug Bounty team regarding the amount of a bounty are final.
We look forward to collaborating with the security community to enhance the security of BlueMail. Thank you for your support and responsible participation in our Bug Bounty Program.