• $100 – $1,500 per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

113 vulnerabilities rewarded

Validation within about 17 hours
75% of submissions are accepted or rejected within about 17 hours

$150 average payout (last 3 months)

Latest hall of famers

Recently joined this program

760 total


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Mailgun empowers developers by allowing them to easily integrate email into their applications. With our powerful API, users can build apps that send, receive, and track emails in real time using a combination of standard protocols. We work hard to keep Mailgun high performing and secure for our user community. Help us make our products even better and earn rewards by reporting potential vulnerabilities.

Getting Started

Focus Areas

Mailgun places the utmost value on its customers’ data and trust. The following report outcomes are prioritized by Mailgun Security and will be accepted as P1 or P2 based on impact:

  • Ability to exfiltrate customer data from the platform
  • Unauthorized takeover of a customer account
  • Running code on Mailgun-owned infrastructure


For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Please note that all leaked API keys found on Github are specifically excluded from the program.

Out Of Scope VRT Categories

Based on the nature of Mailgun's services and architecture, the following VRT Categories are considered Out of Scope:

  • Cross Site Scripting (XSS)
  • Denial of Service

Reward range

Last updated

Technical severity Reward range
p1 Critical $1,300 - $1,500
p2 Severe $800 - $1,000
p3 Moderate $200 - $200
p4 Low $100 - $100
P5 submissions do not receive any rewards for this program.


In scope

Target name Type Tags Website Testing
  • Website Testing Website Testing
  • Website Testing
  • nginx
  • Javascript
  • Amazon Cloudfront Website Testing
  • Website Testing
  • nginx
  • Stripe
  • Mailgun API Testing
  • API Testing
  • HTTP Website Testing
  • Website Testing
  • Bootstrap
  • jQuery
  • MySQL
  • Wordpress
  • PHP Website Testing
  • Website Testing
  • Bootstrap
  • jQuery API Testing
  • API Testing Other
  • SMTP

Out of scope

Target name Type Website Testing Website Testing

Any domain/property of Mailgun not listed in the targets section is out of scope. This includes any/all subdomains not listed above.


For testing purposes, you're free to create your own accounts to do so, please sign up at with your ('username' email address (for more information regarding your @bugcrowdninja email, please see this doc:


  • Privilege escalations based our user roles
  • Findings related to Third-Party Services used by Mailgun

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.