GMX GmbH

Security of data entrusted to us by our clients has the highest priority. This is why we have decided to implement a bug bounty program and invite independent security researchers to help us further improve the security of our systems.

Systems in Scope

Solely the web applications within the authenticated area processing customer data (i.e. the products like email, calendar or file storage, including the authentication systems) are currently within scope of the bug bounty program.

All other systems are out of scope. Of course we still accept vulnerability reports for those systems, but we do not reward the reports.

If you have found a vulnerability on a system but you are not sure whether it belongs to the above mentioned systems in scope, you can send us an email to the address listed below with the fully qualified domain name of the system. We will reply to you shortly.

Vulnerabilities in Scope

We are interested solely in reports of exploitable security issues which put confidentiality or integrity of our customers' data at risk.

The exact amount paid out depends on the impact of the identified vulnerability.

Vulnerabilities out of Scope

The following common examples of vulnerabilities are generally not qualified as relevant:

• Product features (e.g. sharing of data, SPAM-related topics)
• Malware-related issues (e.g. sending e-mails with infected attachments)
• Issues which are not directly possible to exploit (e.g. missing security headers, information leakage)
• Issues which are only exploitable using physical or logical access to the victim's device/account (e.g. self-XSS)
• Issues limiting the availability of services/data (e.g. logout CSRF)

Reporting Bugs

If you have found a vulnerability on our system (both of them being in scope of the bug bounty program), you can send your report to the following address: [email protected]

The report has to contain the following:

• Description of the issue including steps to reproduce and exploit the vulnerability
• Description of resulting risk for the data/services of our customers

We will get in touch with you shortly after receiving the report.

Eligibility for Bug Bounty

You are eligible for the bug bounty if you:

• have found a vulnerability on a system which is in scope as explained above

• have delivered a proper report with all the above requested data

• stick to the responsible disclosure principles - you give us the time we need for fixing the vulnerability before making it public

• you have not put any real customer data at risk - use a test account if needed for Proof of Concept

• are the first one who has found the issue (regardless of the brand of the product - e.g. email interface at WEB.DE, GMX and mail.com counts as one product)

• are not an employee, former employee or a family member of an employee of United Internet AG or any of its subsidiaries