Report a vulnerability

We do our utmost to protect our users' data. We are deeply grateful for any insights you might provide that will help us strengthen our security.

Report a vulnerability

Have you found a security flaw in our product? Please let us know as soon as possible by submitting your report to

What your report should contain:

  • Describe the location the vulnerability was discovered and the potential impact of exploitation.
  • Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
  • Be in English, if possible.

Here's what happens when you report a security flaw:

  • We'll acknowledge your report, usually within 72 hours.
  • We'll investigate the issue and determine how it impacts our product. Here, we'll keep an open dialog to make sure that we fully understand the impact.
  • We won't disclose the issue until it has been thoroughly investigated and patched.



The following test methods are not authorized:

  • Attempting to access other users' accounts.
  • Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.
  • Physical testing (e.g., office access, open doors, tailgating)
  • Social engineering or any other non-technical vulnerability testing.
  • Phishing attempts towards any staff at Mailflow.
  • Automated vulnerability reports.
  • Spamming, mailbombing, brute-forcing, or automated attacks.
  • Leaking, manipulating, or destroying any user data.
  • Harmful or non-good-faith testing.

Safe Harbor

If you make a good-faith effort to comply with this policy, we'll consider your security research to be authorized. When you submit a report, we'll work with you to resolve the issue quickly.