Our service
Copyright © 1999–2018 FastMail Pty Ltd
If you think you have found a security vulnerability in FastMail, please report it to us straight away by emailing bugreport@fastmail.com. Please include detailed steps to reproduce and a brief description of what the impact is. We encourage responsible disclosure (as described below), and we promise to investigate all legitimate reports in a timely manner and fix any issues as soon as we can.
We aim to respond to all emails within 24 hours, although fixing the problem may often take longer. If you don't receive some response to your email with 24 hours, then it's possible a spam filter or other issue has delayed the email. Please try emailing us again from a different account or location.
We ask that during your research you make every effort to maintain the integrity of our users' data, avoiding violating privacy or degrading our service. You must give us reasonable time to fix any vulnerability you find before you make it public. In return we promise to investigate reports promptly and not to take any legal action against you.
As a measure of our appreciation for security researchers, we are happy to give full credit in our public postmortem after the bug has been fixed, and we offer a monetary bounty for certain qualifying bugs. To qualify for the bounty, you must:
Examples of valid vulnerability types include:
www.fastmail.com
or beta.fastmail.com
, not on user.fm
or fastmailusercontent.com
; see below)The decision of whether a bug qualifies for a bounty is solely at the discretion of FastMail. Any qualifying bug will be eligible for a bounty of a minimum of US $100 and a maximum of $5,000. The exact value will be determined by FastMail after taking into account the severity of the vulnerability, the number of users potentially affected etc. All bounties will be paid via PayPal. Any taxes or fees are the sole liability of the recipient.
People seem to report these regularly, so we're putting them up front to make it clear we do not regard these as bugs
user.fm
and fastmailusercontent.com
are used to host
potentially unsafe user content. By keeping this content in completely separate domains, we avoid any security issues with our core fastmail.com
domain. As such, any Cross-Site Scripting (XSS) attacks on these sites are not of interest to us. Please note that if you go to a user web site such as http://testuser.fastmail.com
it immediately redirects to http://testuser.fastmail.com.user.fm
and is thus in the user.fm
security domain, not the fastmail.com
domain.Our thanks to the following security researchers for their submissions:
Researcher | Vulnerability found | Bounty paid |
---|---|---|
Chachi | Error in check preventing reuse of previous password | $100 |
Jaikishan Tulswani | Session invalidation logic error | $100 |
Jaikishan Tulswani | Referrer leakage from support ticket | $100 |
Alex Zorin | Input truncation bypassing domain validation | $100 |
Researcher | Vulnerability found | Bounty paid |
---|---|---|
Max Justicz | Write access to server files | $4000 |
Brian Hyde | Read-only access to private server files | $2000 |
Arsiadi Sriyanto | Read access to private file storage metadata | $500 |
Lucas Reddinger | Missing “enabled” check for shared calendar link | $500 |
Bastian Welfrid Purba | CSRF in support ticket creation | $250 |
Nikola Kojic | Image proxy bypass | $200 |
Arsiadi Sriyanto | XSS on DAV subdomains | $200 |
pnig0s | Unexploitable SSRF | $100 |
Researcher | Vulnerability found | Bounty paid |
---|---|---|
Arsiadi Sriyanto | Reflected XSS | $1500 |
Brian Hyde | Server Side Request Forgery | $1000 |
Shiv Bihari Pandey | Security settings unlock bypass | $500 |
John Cleary | Incorrect CalDAV ACL check allowed access to list of unrelated users | $500 |
Richard Smith | 2FA bypass when importing a user into a business | $300 |
Shiv Bihari Pandey | SMS verification bypass | $250 |
n00b 4lw4y5 7ry | Open redirect | $100 |
Researcher | Vulnerability found | Bounty paid |
---|---|---|
Salman Niksefat | XSS in email body (classic interface or old browsers only) | $1500 |
Bogdan Calin | HTTP header injection | $500 |
James Kettle (PortSwigger Web Security) |
Login CSRF | $100 |
Hugh Davenport | Deletion of contacts/events with restricted logins | $100 |
Hugh Davenport | window.opener phishing vulnerabilty in classic interface |
$100 |
Researcher | Vulnerability found | Bounty paid |
---|---|---|
Sergey Markov | Read-only access to private server files | $2000 |
Thomas Guittonneau | Read-only access to private server files | $2000 |
Sergey Markov | HTTP header injection | $1000 |
Frans Rosén | XSS in email (classic interface only) | $1000 |
Prashant Sharma | Stored XSS in our support ticket system | $1000 |
Hammad Shamsi | Stored XSS in our support ticket system | $1000 |
Bastian Welfrid Purba | Missing user privilege check for removing user websites | $1000 |
Bastian Welfrid Purba | Missing user privilege check for fetching saved searches | $250 |
Satish Bommisetty | Can trick user into making phone call in iOS app | $200 |
Bastian Welfrid Purba | 4 self-XSS issues (not exploitable) | $400 |
V. Harish Kumar | 2 self-XSS issues (not exploitable) | $200 |
Ranjeet Singh | IMAP connections not immediately killed on password change | $100 |
Sasi Levi | Self-XSS issue (not exploitable) | $100 |
Manikandan Rajakumar | Self-XSS issue (not exploitable) | $100 |
Lyon Yang | XSS in embedded image in email body (only classic interface, only IE6, only if remote images enabled) | $100 |
Jakub Zoczek | HTTP header injection (only on redirect) | $100 |
Rakesh Mane | Self-XSS issue (not exploitable) | $100 |
Sasi Levi | CSRF on some business/family account admin actions | $100 |
Sasi Levi | CSRF on some folder sharing actions | $100 |
Hammad Shamsi | Open redirect in paypal handler | $100 |
Mike Cardwell | Image proxying bypass on reply | $100 |
Anonymous | window.opener phishing vulnerabilty |
$100 |