
Mailgun
- $100 – $1,500 per vulnerability
- Up to $3,000 maximum reward
Mailgun empowers developers by allowing them to easily integrate email into their applications. With our powerful API, users can build apps that send, receive, and track emails in real time using a combination of standard protocols. We work hard to keep Mailgun high performing and secure for our user community. Help us make our products even better and earn rewards by reporting potential vulnerabilities.
Maximum Reward
There is a $3,000 bonus for P1 reports related to Mailgun's SSO functionality. SSO functionality extends throughout the app.mailgun.com and login.mailgun.com targets: Implementation Guide
Getting Started
- API used by Mailgun: Documentation
- The Mailgun Application: User Manual
Focus Areas
Mailgun places the utmost value on its customers’ data and trust. The following report outcomes are prioritized by Mailgun Security and will be accepted as P1 or P2 based on impact:
- Ability to exfiltrate customer data from the platform
- Unauthorized takeover of a customer account
- Running code on Mailgun-owned infrastructure
Ratings/Rewards:
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Please note that all leaked API keys found on Github are specifically excluded from the program.
Out Of Scope VRT Categories
Based on the nature of Mailgun's services and architecture, the following VRT Categories are considered Out of Scope:
- Cross Site Scripting (XSS)
- Denial of Service
Scope and rewards
Program rules
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.