Security Issue Reporting

Security issue reporting guidelines

If you think you have found a security vulnerability in Fastmail, please report it to us straight away by emailing [email protected]. Please include detailed steps to reproduce and a brief description of what the impact is. We encourage responsible disclosure (as described below), and we promise to investigate all legitimate reports in a timely manner and fix any issues as soon as we can.

We do read all reports within 24 hours, but as all reports are reviewed and personally investigated by our senior staff, it may take up to 10 business days before you hear back from us.


Responsible disclosure policy

We ask that during your research you make every effort to maintain the integrity of our users’ data, avoiding violating privacy or degrading our service. You must give us reasonable time to fix any vulnerability you find before you make it public. In return we promise to investigate reports promptly and not to take any legal action against you.

Bug bounty

Our bug bounty program is common to all products produced by Fastmail, and thus covers our Topicbox and Pobox products in addition to our flagship Fastmail service.

As a measure of our appreciation for security researchers, we are happy to give full credit in any public postmortem after the bug has been fixed, and we offer a monetary bounty for certain qualifying bugs. To qualify for the bounty, you must:

  • Follow our responsible disclosure policy (see above).
  • Report the bug to us first, and give us reasonable time to fix the issue before making it public.
  • Be the first person to report the issue to us.
  • Use a test account (a free trial account is fine), or an account that you control. Never interact with other accounts without the owner’s consent.
  • Find a bug that could allow access to private user data, or enable access to a system running Fastmail infrastructure.

Examples of valid vulnerability types include:

  • Authentication or session management issues
  • Cross-Site Scripting (XSS) (only on www.fastmail.com or beta.fastmail.com, not on user.fm or fastmailusercontent.com; see below)
  • Cross-Site Request Forgery (CSRF/XSRF)
  • Remote Code Execution
  • Privilege Escalation

The decision of whether a bug qualifies for a bounty is solely at the discretion of Fastmail. Any qualifying bug will be eligible for a bounty of a minimum of US$100 and a maximum of $5,000. The exact value will be determined by Fastmail after taking into account the severity of the vulnerability, the number of users potentially affected etc. All bounties will be paid via PayPal. Any taxes or fees are the sole liability of the recipient. We process bug bounty payments once a month.

Specific exclusions

People seem to report these regularly, so we’re putting them up front to make it clear we do not regard these as bugs

  1. Email spoofing bugs do not qualify. We are quite aware that users can set arbitrary From addresses on emails, that our SPF records allow arbitrary hosts to send email as our domains, and that our DMARC policy is not enforcing passes. These policy decisions are by design, and we track the actual sender in a separate header.
  2. CSV Excel Macro Injection bugs via address book exporting do not qualify. The user has complete control over their address book. We regard convincing someone to add a particular address to their address book, export and download it as a CSV, open it in Excel, click through a warning dialog as exceedingly unlikely user interaction. If you can get them to do that, just get them to run cmd from the Start menu and paste some arbitrary command.

General Exclusions

  1. Denial of Service (DOS) and social engineering attacks do not qualify and must not be attempted against Fastmail or our users under any circumstances.
  2. Bugs that require exceedingly unlikely user interaction or are caused by insecurities in browser extensions do not qualify.
  3. Brute force log in attempts.
  4. The domains user.fm and fastmailusercontent.com are used to host potentially unsafe user content. By keeping this content in completely separate domains, we avoid any security issues with our corefastmail.comdomain. As such, any Cross-Site Scripting (XSS) attacks on these sites are not of interest to us. Please note that if you go to a user web site such as testuser.fastmail.com it immediately redirects to testuser.fastmail.com.user.fm and is thus in theuser.fmsecurity domain, not the fastmail.com domain.
  5. Bugs on sites associated with Fastmail but not run by Fastmail do not qualify. This includes www.fastmailfbl.com. We are grateful for any reports on issues with these sites, and we will pass on the bugs to the relevant company, however they do not qualify for a bounty.
  6. Anything related to enumeration of usernames does not qualify.
  7. Bugs related to unpatched, out of date or exceedingly rarely used browsers or other client software out of our control.
  8. We are public about the software we run. We are not interested in reports about “leakage” of the fact we run nginx, or the version number, or Perl module names or file paths.

Hall of fame

Our thanks to the following security researchers for their submissions:

2024

Researcher Vulnerability found Bounty paid
Amethama Luturmas Topicbox ACL bypass $100

2023

Researcher Vulnerability found Bounty paid
Mohammad Eldawody Fastmail 2FA vulnerability $3000
Max Raams Email authentication weaknesses $250

2022

Researcher Vulnerability found Bounty paid
Vivek Kumar Yadav Topicbox app vulnerability $100
Vivek Kumar Yadav Android app vulnerability $100
Milan Jain CRLF injection vulnerability $250
Ilkin Javadov Pobox password link expiry $100
Huzaifa Muhammad Topicbox mobile app vulnerability $100
Huzaifa Muhammad Anti-abuse bypass on mobile app $100
Jonathan Page DKIM oversigning $200

2021

Researcher Vulnerability found Bounty paid
Dennis Trappe iOS app vulnerability $100
Sheikh Rishad Android app vulnerability $100
Jaikishan Tulswani Access vulnerability for third party service $250
Mohammed Eldawody Bypass security screen in Topicbox $100
Vicky Sahputra Deleted group vulnerability in Topicbox $100
Markus Holtermann Fingerprint authentication vulnerability in Fastmail app $100
N Krishna Chaitanya Password reset vulnerability in Pobox $100
Pravas Ranjan Kanungo Image proxy vulnerability in Fastmail $100
Mohammed Eldawody Password recovery bug in Pobox $3000
Roman Zabaluev Caching of “don’t require 2FA again on this device” cookie validity $500

2020

Researcher Vulnerability found Bounty paid
Mohammed Eldawody Privilege escalation bugs in Topicbox $2000
Mohammed Eldawody Bypass security screen in Topicbox $200
Daniel Santos Mutation bypass in DOMPurify $100
Michał Bentkowski (Securitum) CSS sanitisation bypass $750
Michał Bentkowski (Securitum) DOMPurify mXSS (sponsored bug bounty; did not affect Fastmail products) $250
Mohammed Eldawody Stored XSS in Pobox $200
Mart Gil Robles Login CSRF in Pobox $100
Basavaraj Banakar Self-XSS in Pobox $100
Alexander Harkness Unnecessary information disclosed in DMARC report $100
Jackson K V Login rate-limiting bypass in Pobox $200
Sachin Hodkasia Login rate-limiting bypass in Pobox $200
Sachin Hodkasia Password reset expiration issue in Pobox $100
Syed Muhammad Asim Mixed content warnings in Pobox $100

2019

Researcher Vulnerability found Bounty paid
Ace Candelario HTML injection vulnerabilities in Pobox $100
Hemant Singh Manral Limited reuse of expired recovery options $250
Joran Dirk Greef (Ronomon) AppCache exploit to compromise attachment downloads $3500
Michał Bentkowski (Securitum) DOMPurify mXSS (sponsored bug bounty; did not affect Fastmail products) $500
Joran Dirk Greef (Ronomon) Bypasses to allowed attachment extensions $200
Devansh Batham (Infoziant Labs) Deauthentication issue in Pobox $100
Devansh Batham (Infoziant Labs) Password reset design issue in Pobox $100
Brian Hyde HTML injection and email address injection vulnerabilities in Pobox $400
Jaikishan Tulswani Session invalidation logic error in Pobox $100
Aman Mahendra Race condition in 2FA login in Pobox $100
Devansh Batham (Infoziant Labs) Miscellaneous CSRF vulnerabilities in Pobox $500
Devansh Batham (Infoziant Labs) Request replay issue in Pobox $200
Anonymous Incomplete access control restrictions on shared file storage within an account $1000
Aakash Kumar Recovery code logic error in Pobox $100

2018

Researcher Vulnerability found Bounty paid
Devansh Batham (Infoziant Labs) Password reset logic error in Pobox $100
Ahmed Elsobky Phishing protection bypass $100
Tarun Mahour Self-XSS in Pobox $100
Devansh Batham (Infoziant Labs) CSRF vulnerabilities in Listbox $200
Anonymous Network misconfiguration $2000
Nikola Kojic Image proxy bypass $100
Jaikishan Tulswani Page invalidation logic error in Pobox $100
Jaikishan Tulswani Private services discovered $100
Jaikishan Tulswani Session invalidation logic error in Listbox $100
Jaikishan Tulswani List name discovery in Listbox $100
Aman Mahendra Self-XSS in Listbox $100
Arsiadi Sriyanto CSRF Token Disclosure $100
Aman Mahendra XSS in Listbox $200
Jaikishan Tulswani Page invalidation logic error $100
Jaikishan Tulswani DNS misconfiguration $200
Jaikishan Tulswani Open redirect in Listbox $100
Jaikishan Tulswani Access control bypasses in Listbox $700
Jaikishan Tulswani Multiple XSS and CSRF vulnerabilties in Listbox $1000
Aman Mahendra links to insecure HTTP URLs provided in Listbox $100
Jaikishan Tulswani CSRF in Listbox $100
Jaikishan Tulswani subscription limit bypass in Listbox $300
Jaikishan Tulswani access control bypass in Listbox $100
Ranjit Pahan stored XSS in Listbox $200
Devansh Batham (Infoziant Labs) UI redressing attack on Listbox and Pobox $100
Devansh Batham (Infoziant Labs) Multiple XSS and CSRF vulnerabilities in Listbox and Pobox $1200
Brian Hyde Multiple XSS and CSRF vulnerabilities in Listbox and Pobox $1000
Jaikishan Tulswani XSS in Listbox $200
Bijan Murmu Lax password policy in Listbox $200
Ranjit Pahan window.opener phishing vulnerabilty with attachments $100
Chachi Error in check preventing reuse of previous password $100
Jaikishan Tulswani Session invalidation logic error $100
Jaikishan Tulswani Referrer leakage from support ticket $100
Alex Zorin Input truncation bypassing domain validation $100

2017

Researcher Vulnerability found Bounty paid
Max Justicz Write access to server files $4000
Brian Hyde Read-only access to private server files $2000
Arsiadi Sriyanto Read access to private file storage metadata $500
Lucas Reddinger Missing “enabled” check for shared calendar link $500
Bastian Welfrid Purba CSRF in support ticket creation $250
Nikola Kojic Image proxy bypass $200
Arsiadi Sriyanto XSS on DAV subdomains $200
pnig0s Unexploitable SSRF $100

2016

Researcher Vulnerability found Bounty paid
Arsiadi Sriyanto Reflected XSS $1500
Brian Hyde Server Side Request Forgery $1000
Shiv Bihari Pandey Security settings unlock bypass $500
John Cleary Incorrect CalDAV ACL check allowed access to list of unrelated users $500
Richard Smith 2FA bypass when importing a user into a business $300
Shiv Bihari Pandey SMS verification bypass $250
n00b 4lw4y5 7ry Open redirect $100

2015

Researcher Vulnerability found Bounty paid
Salman Niksefat XSS in email body (classic interface or old browsers only) $1500
Bogdan Calin HTTP header injection $500
James Kettle (PortSwigger Web Security) Login CSRF $100
Hugh Davenport Deletion of contacts/events with restricted logins $100
Hugh Davenport window.opener phishing vulnerabilty in classic interface $100

2014

Researcher Vulnerability found Bounty paid
Sergey Markov Read-only access to private server files $2000
Thomas Guittonneau Read-only access to private server files $2000
Sergey Markov HTTP header injection $1000
Frans Rosén XSS in email (classic interface only) $1000
Prashant Sharma Stored XSS in our support ticket system $1000
Hammad Shamsi Stored XSS in our support ticket system $1000
Bastian Welfrid Purba Missing user privilege check for removing user websites $1000
Bastian Welfrid Purba Missing user privilege check for fetching saved searches $250
Satish Bommisetty Can trick user into making phone call in iOS app $200
Bastian Welfrid Purba 4 self-XSS issues (not exploitable) $400
V. Harish Kumar 2 self-XSS issues (not exploitable) $200
Ranjeet Singh IMAP connections not immediately killed on password change $100
Sasi Levi Self-XSS issue (not exploitable) $100
Manikandan Rajakumar Self-XSS issue (not exploitable) $100
Lyon Yang XSS in embedded image in email body (only classic interface, only IE6, only if remote images enabled) $100
Jakub Zoczek HTTP header injection (only on redirect) $100
Rakesh Mane Self-XSS issue (not exploitable) $100
Sasi Levi CSRF on some business/family account admin actions $100
Sasi Levi CSRF on some folder sharing actions $100
Hammad Shamsi Open redirect in paypal handler $100
Mike Cardwell Image proxying bypass on reply $100
Anonymous window.opener phishing vulnerabilty $100