Security issue reporting guidelines
If you think you have found a security vulnerability in Fastmail, please report
it to us straight away by emailing bugreport@fastmail.com. Please include
detailed steps to reproduce and a brief description of what the impact is. We
encourage responsible disclosure (as described below), and we promise to
investigate all legitimate reports in a timely manner and fix any issues as
soon as we can.
We do read all reports within 24 hours, but as all reports are reviewed and
personally investigated by our senior staff, it may take up to 10 business days
before you hear back from us.
Responsible disclosure policy
We ask that during your research you make every effort to maintain the integrity
of our users’ data, avoiding violating privacy or degrading our service. You
must give us reasonable time to fix any vulnerability you find before you make
it public. In return we promise to investigate reports promptly and not to take
any legal action against you.
Bug bounty
Our bug bounty program is common to all products produced by Fastmail, and thus covers our Topicbox and Pobox products in addition to our flagship Fastmail service.
As a measure of our appreciation for security researchers, we are happy to give full credit in any public postmortem after the bug has been fixed, and we offer a monetary bounty for certain qualifying bugs. To qualify for the bounty, you must:
- Follow our responsible disclosure policy (see above).
- Report the bug to us first, and give us reasonable time to fix the issue
before making it public.
- Be the first person to report the issue to us.
- Use a test account (a free trial account is fine), or an account that you
control. Never interact with other accounts without the owner’s consent.
- Find a bug that could allow access to private user data, or enable access to
a system running Fastmail infrastructure.
Examples of valid vulnerability types include:
- Authentication or session management issues
- Cross-Site Scripting (XSS) (only on
www.fastmail.com or beta.fastmail.com, not on user.fm or fastmailusercontent.com; see below)
- Cross-Site Request Forgery (CSRF/XSRF)
- Remote Code Execution
- Privilege Escalation
The decision of whether a bug qualifies for a bounty is solely at the discretion of Fastmail. Any qualifying bug will be eligible for a bounty of a minimum of US $100 and a maximum of $5,000. The exact value will be determined by Fastmail after taking into account the severity of the vulnerability, the number of users potentially affected etc. All bounties will be paid via PayPal. Any taxes or fees are the sole liability of the recipient. We process bug bounty payments once a month.
Specific exclusions
People seem to report these regularly, so we’re putting them up front to make it clear we do not regard these as bugs
- Email spoofing bugs do not qualify. We are quite aware that users can set arbitrary From addresses on emails, that our SPF records allow arbitrary hosts to send email as our domains, and that our DMARC policy is not enforcing passes. These policy decisions are by design, and we track the actual sender in a separate header.
- CSV Excel Macro Injection bugs via address book exporting do not qualify. The user has complete control over their address book. We regard convincing someone to add a particular address to their address book, export and download it as a CSV, open it in Excel, click through a warning dialog as exceedingly unlikely user interaction. If you can get them to do that, just get them to run cmd from the Start menu and paste some arbitrary command.
General Exclusions
- Denial of Service (DOS) and social engineering attacks do not qualify and
must not be attempted against Fastmail or our users under any circumstances.
- Bugs that require exceedingly unlikely user interaction or are caused by
insecurities in browser extensions do not qualify.
- Brute force log in attempts.
- The domains
user.fm and fastmailusercontent.com are used to host
potentially unsafe user content. By keeping this content in completely separate domains, we avoid any security issues with our core fastmail.com domain. As such, any Cross-Site Scripting (XSS) attacks on these sites are not of interest to us. Please note that if you go to a user web site such as http://testuser.fastmail.com it immediately redirects to http://testuser.fastmail.com.user.fm and is thus in the user.fm security domain, not the fastmail.com domain.
- Bugs on sites associated with Fastmail but not run by Fastmail do not
qualify. This includes www.fastmailfbl.com. We are grateful for any reports on issues with these sites, and we will pass on the bugs to the relevant company, however they do not qualify for a bounty.
- Anything related to enumeration of usernames does not qualify.
- Bugs related to unpatched, out of date or exceedingly rarely used browsers
or other client software out of our control.
- We are public about the software we run. We are not interested in reports
about “leakage” of the fact we run nginx, or the version number, or Perl module names or file paths.
Hall of fame
Our thanks to the following security researchers for their submissions:
2022
2021
2020
2019
2018
2017
2016
2015
| Researcher |
Vulnerability found |
Bounty paid |
| Salman Niksefat |
XSS in email body (classic interface or old browsers only) |
$1500 |
| Bogdan Calin |
HTTP header injection |
$500 |
James Kettle
(PortSwigger Web Security) |
Login CSRF |
$100 |
| Hugh Davenport |
Deletion of contacts/events with restricted logins |
$100 |
| Hugh Davenport |
window.opener phishing vulnerabilty in classic interface |
$100 |
2014
| Researcher |
Vulnerability found |
Bounty paid |
| Sergey Markov |
Read-only access to private server files |
$2000 |
| Thomas Guittonneau |
Read-only access to private server files |
$2000 |
| Sergey Markov |
HTTP header injection |
$1000 |
| Frans Rosén |
XSS in email (classic interface only) |
$1000 |
| Prashant Sharma |
Stored XSS in our support ticket system |
$1000 |
| Hammad Shamsi |
Stored XSS in our support ticket system |
$1000 |
| Bastian Welfrid Purba |
Missing user privilege check for removing user websites |
$1000 |
| Bastian Welfrid Purba |
Missing user privilege check for fetching saved searches |
$250 |
| Satish Bommisetty |
Can trick user into making phone call in iOS app |
$200 |
| Bastian Welfrid Purba |
4 self-XSS issues (not exploitable) |
$400 |
| V. Harish Kumar |
2 self-XSS issues (not exploitable) |
$200 |
| Ranjeet Singh |
IMAP connections not immediately killed on password change |
$100 |
| Sasi Levi |
Self-XSS issue (not exploitable) |
$100 |
| Manikandan Rajakumar |
Self-XSS issue (not exploitable) |
$100 |
| Lyon Yang |
XSS in embedded image in email body (only classic interface, only IE6, only if remote images enabled) |
$100 |
| Jakub Zoczek |
HTTP header injection (only on redirect) |
$100 |
| Rakesh Mane |
Self-XSS issue (not exploitable) |
$100 |
| Sasi Levi |
CSRF on some business/family account admin actions |
$100 |
| Sasi Levi |
CSRF on some folder sharing actions |
$100 |
| Hammad Shamsi |
Open redirect in paypal handler |
$100 |
| Mike Cardwell |
Image proxying bypass on reply |
$100 |
| Anonymous |
window.opener phishing vulnerabilty |
$100 |