Policies
Table of contents
Last modified: February 3rd, 2023
Overview
We take security very seriously at Mailjoy. If you believe you've found a security issue on Mailjoy, please let us know as soon as possible. We will investigate all legitimate reports and fix any issues.
While we encourage legitimate reports, please do not submit reports based on automated scanners unless it is a genuine exploitable issue that has been verified manually.
General Guidelines
- Vulnerability reports must include manual validation – for example, reports based only on results from automated tools and scanners or which describe theoretical attack vectors without proof of exploitability – will be rejected.
- Indicate steps to reproduce and verify you demonstrate a working proof of concept.
- Submissions without sufficient details – will be rejected.
- Since we use same stack for all the websites, a vulnerability which exists across all the websites will be considered one report.
- Only contact us using the details outlined below.
Qualifying Vulnerabilities
We encourage you to ethically disclose vulnerabilities to us so we have the opportunity to address any issues and coordinate disclosure after a fix has been deployed. All reports regarding Mailjoy's security are welcomed, provided that the issue is exploitable by an adversary.
Any reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Server Side Request Forgery (SSRF)
- Remote Code Execution (RCE)
- SQL Injection (SQLi)
- Privilege Escalation
Terms and Conditions
We promote ethical disclosure and ask that:
- You give us a reasonable amount of time to investigate and fix any issues before publicly disclosing any information
- You make a good faith effort to avoid disruption to others, not conducting activities that lead to data deletion, data manipulation, or the degradation of our services
- You do not exploit any issue you discover
- You do not violate any laws or regulations
Submitting a report
Please use the button below, or email your report to reports@mailjoy.com. Please include the following (as appropriate):
- Description of the vulnerability
- Steps to reproduce the reported vulnerability
- Proof of exploitability (e.g. screenshot, video)
- Perceived impact to another user or the organization
- List of URLs and affected parameters
- Other vulnerable URLs, additional payloads, Proof-of-Concept code
- Browser, OS and/or app version used during testing
- Impact of the bug