We invite you to participate in Proton’s mission to secure their user’s private data online!
Proton was founded in 2013 by scientists who met at CERN and were drawn together by a shared vision of a more secure and private Internet. To support the global effort to protect civil liberties and build a more secure Internet, Proton has launched a private Bug Bounty Program together with Bug Bounty Switzerland. We invite sophisticated security researchers, cryptographers and hackers with experience searching for and identifying advanced vulnerabilities to join this program.
Why we want you
- You have publicly demonstrated unique expertise in security research, cryptography or identified vulnerabilities in sensitive systems
- Proton’s top priority has always been the security of their community – and we need you to sustain it
What you can expect
- The program will give you early and exclusive access to not published versions of the applications and their source code
- We pay attractive bounties for accepted reports, concerning infrastructure, apps or source code – up to 30k
- Coordinated vulnerability disclosure
- A constructive dialogue, fair rules and a legal safe harbor
Key focus areas include
- Vulnerabilities that will compromise a Proton user’s personal data
- Compromising Proton’s encryption (password leaks, private keys, etc.)
- The ability to demonstrate unauthorized access to customer data (such as email, calendar, etc.)
- Demonstrating EOP, sensitive information disclosure, or availability vulnerabilities in Proton products
- Compromising Proton API or server infrastructure
- Demonstrating the ability to compromise Proton applications running on mobile devices, Windows, Linux, and Apple
This is a private program – only invited researchers can participate. We are committed to working closely with qualified security researchers to ensure that our products are as secure as possible.
If you are interested in participating in this program, then apply now!
What you can expect
The Systems in Scope
In scope are all systems of Proton (server systems, web applications, apps, local applications), including source code of most of them. Additionally, preview access to non-published source code and/or corresponding builds of the applications can be provided.
- Mobile apps
- Web applications, Server systems (API’s, backend)
- ProtonBridge
- Source code
- Mobile apps
- Web applications, Server systems (API’s, backend)
- Source code
- Web applications, Server systems (API’s, backend)
- Source code
- Mobile apps
- Web applications, Server systems (API’s, backend)
- Mobile apps
- Web extensions
How we assess the Impact
When assessing the reports, the impact on Proton and its users is relevant. For example, the following will be considered:
What kind of data or system can be accessed?
- Cleartext representation of encrypted user data
- Meta-data of Proton’s users
- Proton’s infrastructure
- The devices of Proton’s users
- The scalability of the attack
Single users
- Many users at once
- If targeted attacks are possible
- Attacking random users
- Targeted attacks on single user
Rewards
Based on the impact bounties up to 30k are paid out.
Source Code
For most of Proton’s products the source code is available and can be used for example to identify bad implementations or cryptographic issues which could lead to exploitation.
Legal Safe Harbor
The program provides a legal safe harbor and protects security researchers from prosecution when they act in good faith and comply with the rules of the program.
Responsible Disclosure
- Proton encourages coordinated disclosure of vulnerabilities
- Disclosure of vulnerabilities found in this private program is possible with written consent of Proton