Bug bounty programme
We pay for responsibly disclosed security vulnerabilities. Twelve thousand people trust us with their email precisely because they should not have to trust us blindly, and independent researchers poking holes in our work is part of how we earn that. If you find a genuine security issue in Scroogle Mail, tell us privately, give us a fair chance to fix it, and we will pay you for it - in Swiss francs, without a lawyer's letter attached.
Reports go to security@scrooglemail.com. Please encrypt anything sensitive to our PGP key.
4F2A 9C81 D7E3 55B0 6A1D 8F42 C3B9 07E6 2D14 AA58
Download the public key: files/security-key.txt. Verify the fingerprint
matches before you encrypt - it is also printed on our security page.
In scope
Anything we build and run is fair game, specifically:
- scrooglemail.com - the public website, signup and checkout
- *.scrooglemail.com - including mail.scrooglemail.com (webmail) and account subdomains
- api.scrooglemail.com - the customer API and the Scroogle Send transactional API
- The iOS, Android and desktop apps (Windows, macOS, Linux) - current release versions
- Scroogle Bridge - our local IMAP/SMTP bridge
- Our WooCommerce and WordPress plugins for Scroogle Relay and Scroogle Send
The issues we care about most: anything that breaks the zero-access model (reading another user's stored mail, key extraction), authentication bypass, cross-account data access, remote code execution, and cryptographic flaws in the clients or Bridge. Test only against accounts you own. There is no free tier, so set up a test account on the cheapest plan and mention it in your report - we refund accounts created in good faith for research.
Rewards
Rewards are banded by real-world impact, not by bug class. We rate severity using CVSS as a starting point and adjust for what the bug actually exposes in our architecture - a bug that touches message content or keys will always land at the top of its band or above it. Final amounts are at our discretion, but we aim to be generous rather than grudging, and we pay in CHF (or the equivalent in GBP or EUR) by bank transfer.
| Severity | Typical examples | Reward |
|---|---|---|
| Critical | Remote code execution on production infrastructure; any bypass of zero-access encryption; reading another user's mailbox or keys | CHF 3,000 - 10,000 |
| High | Authentication or 2FA bypass; stored XSS in webmail reaching decrypted content; SSRF with access to internal systems | CHF 1,000 - 3,000 |
| Medium | CSRF on state-changing account actions; stored XSS with limited scope; rate-limit bypass on authentication endpoints; meaningful metadata leaks | CHF 300 - 1,000 |
| Low | Reflected XSS needing unusual interaction; low-sensitivity information disclosure; logic flaws with marginal impact | CHF 50 - 300 |
| Informational | Valid findings below the reward threshold that still improve our posture | Swag + hall of fame |
Out of scope
The usual suspects. Reports in these categories will be read, but they do not qualify for a reward:
- Automated scanner output without a working proof of concept
- Denial of service, volumetric attacks or resource exhaustion of any kind - please do not test these at all
- Social engineering of Scroogle Mail staff, contractors or suppliers
- Physical attacks on our offices or the Zurich and Lausanne datacentres
- Missing best-practice headers or cookie flags with no demonstrated exploit
- Self-XSS, or anything that requires the victim to paste code into their own console
- Rate limiting on non-authentication endpoints
- Issues that only reproduce in out-of-date browsers or app versions
- Clickjacking on pages with no sensitive, state-changing actions
- SPF, DKIM or DMARC observations on subdomains that do not send mail
- Vulnerabilities in third-party services we link to but do not operate
- Credentials found in third-party breach dumps ("password reuse" reports)
Safe harbour
If you research in good faith and within these rules, you are safe with us. Scroogle Mail AG will not pursue civil claims or file criminal complaints against you for security research that respects this policy, and we treat such research as authorised access to our systems. That commitment operates within Swiss law: we cannot grant immunity from Swiss criminal law itself or bind third parties, so keep your testing proportionate - access only your own accounts and test data, go no further into any system than is needed to demonstrate the flaw, do not degrade the service for others, and delete any data you did not mean to obtain. If you accidentally touch another user's data, stop immediately and tell us in your report; doing so does not disqualify you. If a third party ever raises legal questions about research done under this policy, we will make it known that the work was authorised.
How to report
- Write it up. Include the affected host, app or plugin and its version, clear reproduction steps, a working proof of concept, and your assessment of the impact. One issue per report, please.
- Send it encrypted to security@scrooglemail.com using the PGP key above. Plaintext is accepted for low-sensitivity findings, but anything touching user data or a live exploit path should be encrypted.
- We acknowledge within 1 working day and complete triage - severity, validity, duplicate check - within 3 working days. You get a named human, not a ticket robot.
- We fix it. Target timelines: critical issues within 7 days, high within 30, medium and low within 90. We keep you updated as we go.
- We pay and disclose. The reward is paid once the fix is confirmed. We publish fixed issues on our security advisories page and credit you by name or handle - or keep you anonymous if you prefer. You are free to publish your own write-up 90 days after triage or once the fix ships, whichever comes first; we are happy to coordinate on the date.
First to report gets the reward; duplicates get a thank-you and, where the report adds something real, a spot in the hall of fame. Findings also feed our transparency report statistics.
Hall of fame
Researchers who have made Scroogle Mail measurably safer. Thank you - the drinks in Zurich are on us.
- quietwireMay 2026
- m0rgenrotFebruary 2026
- PfefferSecNovember 2025
- null_terrineAugust 2025
- tessellate9March 2025
To report a security issue with an account or a user rather than our software - spam, phishing, abuse of the service - use report abuse instead.