Runbox 7 Feature and Bug Bounty Program

Runbox 7
#1

1. Purpose

Runbox is committed to delivering secure, private, and innovative email services, and our users rely on us to protect their privacy and keep their communications secure. We honor that trust by collaborating with the security community to identify and address vulnerabilities - ensuring that our platform remains robust and reliable. We invite developers and security researchers to contribute to the Runbox 7 open-source project and help us improve our platform.

Our bounty program rewards both feature development and responsible bug reports, but we strictly prohibit any testing that disrupts our services or violates the law. While we value security research, deliberate attempts to break into our systems are illegal, regardless of intent. Brute force attacks and DoS attempts are strictly prohibited.

2. Eligibility Requirements

  • You must not publicly disclose your findings.
  • You must never exploit any vulnerability.
  • You must provide a detailed explanation and steps to reproduce the bug.
  • Submitting a patch that fixes the issue may qualify you for a double bounty.

3. Feature Bounties

We encourage you to contribute to Runbox 7 by adding new functionality that benefits all users. All contributions must include tests and documentation to qualify.

  • Gold ($1,000 reward): Major features, such as new screens for Account, Files, or Manager, REST endpoint specifications, significant performance optimizations, or substantial code refactoring.
  • Silver ($500 reward): Medium-sized features or significant improvements to existing functionality, such as new sub-sections or enhanced features within Account, Files, or Manager.
  • Bronze ($100 reward): Smaller enhancements, such as urgent or critical GitHub issues that improve existing features.

To get started with our Features Bounty Program, have a look at our Runbox 7 GitHub repository. We are marking issues that are suitable for new contributors with “good first issue 7“. Refer to the Runbox 7 Roadmap and GitHub issues for specific opportunities.

Please review our contribution guidelines and follow these instructions.

4. Bug Bounties

Security and reliability are critical to our operations. We reward responsible disclosure of vulnerabilities—but only if testing complies with our rules. Brute force attacks and DoS attempts are strictly prohibited. Reach out to us first at support@runbox.com to get approval.

  • High ($1,000 reward): Severe vulnerabilities, such as those leading to elevated privileges, significant data compromise, or service downtime. Examples include critical GitHub bug issues.
  • Medium ($500 reward): Vulnerabilities that provide limited access, such as potential denial of service risks, individual account manipulation, or temporary issues affecting limited data sets.
  • Low ($100 reward): Low-impact vulnerabilities that require significant system knowledge to exploit, such as urgent GitHub bug issues.

5. Rules for Responsible Testing

Allowed :white_check_mark:

  • Testing only on approved systems.
  • Single-request testing (e.g. manual checks for common web vulnerabilities like cross-site scripting or misconfigured APIs).
  • Use of pre-approved automated tools with rate limits.
  • Immediate, confidential reporting of findings.

Prohibited :x:

  • Brute force attacks (e.g., password spraying, credential stuffing).
  • Denial of Service (DoS/DDoS) or flooding.
  • Unauthorized access attempts or exploitation of vulnerabilities.
  • Social engineering (e.g., phishing, targeting employees/customers).
  • Testing production systems without explicit approval.

Violations of these rules are illegal and will result in:

  • Immediate ban from the program.
  • Legal action, including reporting to authorities and claiming compensation for damages.

6. How to Submit a Report

Submit your findings via email to support@runbox.com with the subject line “Bug Bounty Program Submission.” Include:

  • A detailed description of the vulnerability or feature.
  • Steps to reproduce (for bugs) or implementation details (for features).
  • Proof-of-concept code or screenshots (if applicable).
  • Your contact information.

7. Legal Considerations

Brute force attacks constitute unauthorized access and are strictly prohibited. Runbox will pursue legal and/or criminal action against persons who do not comply with this policy. All testing must comply with Norwegian privacy laws and GDPR. We reserve the right to determine eligibility and reward amounts at our discretion.

If you have any questions, reply to this topic or contact us at support@runbox.com.

– Geir

2 Likes
Welcome to the community & important topics
It is possible to send mail with no recipients
#2