We invite you to participate in Proton's mission to secure their user's private data online!

protonmail-logo-dark

Proton was founded in 2013 by scientists who met at CERN and were drawn together by a shared vision of a more secure and private Internet. To support the global effort to protect civil liberties and build a more secure Internet, Proton has launched a private Bug Bounty Program together with Bug Bounty Switzerland. We invite sophisticated security researchers, cryptographers and hackers with experience searching for and identifying advanced vulnerabilities to join this program.

Why we want you

  • You have publicly demonstrated unique expertise in security research, cryptography or identified vulnerabilities in sensitive systems
  • Proton's top priority has always been the security of their community - and we need you to sustain it

What you can expect

  • The program will give you early and exclusive access to not published versions of the applications and their Source Code
  • We pay attractive Bounties for accepted reports, concerning infrastructure, apps or source code - up to 30k
  • Coordinated vulnerability disclosure
  • A constructive dialogue, fair rules and a legal safe harbor

Key focus areas include:

  • Vulnerabilities that will compromise a Proton user’s personal data
  • Compromising Proton’s encryption (password leaks, private keys, etc.)
  • The ability to demonstrate unauthorized access to customer data (such as email, calendar, etc.)
  • Demonstrating EOP, sensitive information disclosure, or availability vulnerabilities in Proton products
  • Compromising Proton API or server infrastructure
  • Demonstrating the ability to compromise Proton applications running on mobile devices, Windows, Linux, and Apple

This is a private program - only invited researchers can participate. We are committed to working closely with qualified security researchers to ensure that our products are as secure as possible.

If you are interested in participating in this program, then apply now!

What you can expect

The bug bounty program is a time limited incubator with the goal to bring Proton's existing bug bounty initiative to the next level.

The Systems in Scope

In scope are all systems of Proton (server systems, web applications, apps, local applications), including source code of most of them. Additionally, preview access to non-published source code and/or corresponding builds of the applications is provided.

ProtonMail

  • Mobile apps
  • Web applications, Server systems (API's, backend)
  • ProtonBridge
  • Source code

ProtonVPN

  • Mobile apps
  • Web applications, Server systems (API's, backend)
  • Source code

Shared Components

  • Source code of shared core components

How we assess the Impact 

When assessing the reports, the impact on Proton and its users is relevant. For example, the following will be considered:

What kind of data or system can be accessed?

  • Cleartext representation of encrypted user data
  • Meta-data of Proton’s users
  • Proton’s infrastructure
  • The devices of Proton’s users

The scalability of the attack

  • Single users
  • Many users at once

If targeted attacks are possible 

  • Attacking random users 
  • Targeted attacks on single user

Rewards

Based on the impact bounties up to 30k are paid out.

Source Code

For most of Proton's products the source code is available and can be used to identify bad implementations or cryptographic issues which could lead to exploitation.

Legal Safe Harbor

The program provides a legal safe harbor and protects security researchers from prosecution when they act in good faith and comply with the rules of the program.

Responsible Disclosure

  • We encourage coordinated disclosure of vulnerabilities
  • Disclosure of vulnerabilities found in this private program is possible with written consent of Proton