Mailgo – VDP

At Mailgo, we’re dedicated to keeping our AI-powered cold email platform secure for users worldwide. This isn’t a legal document but a comprehensive overview of our Vulnerability Disclosure Program (VDP), designed to encourage security researchers to report vulnerabilities on mailgo.ai. Your efforts help us maintain a trusted platform for high-deliverability email campaigns, and eligible reports may qualify for recognition or rewards based on their impact.

For full details, visit our Privacy Policy and Documentation on mailgo.ai.

Your Data, Our Priority

• Your data stays yours. Mailgo never uses your data to train AI models, and you retain full control, including the ability to export it anytime.
• Robust security standards. We’re GDPR compliant, with data encrypted at rest using 256-bit AES and in transit via HTTPS TLS. Payment data is protected through Stripe’s industry-standard measures.
• Regular audits. Our platform undergoes frequent security reviews, including by trusted partners like Google and Microsoft, to ensure we meet the highest security benchmarks.
• Continuous monitoring. We actively monitor our systems for potential threats and maintain strict access controls to safeguard your data.

Vulnerability Disclosure Program

Mailgo’s VDP invites security researchers to report vulnerabilities on mailgo.ai and its latest public platform. Your contributions strengthen our platform, and we’re committed to a transparent, collaborative process to address security issues promptly.

Please include the CVSS calculator output in your report to assist with severity assessment.

What’s In Scope?

• Vulnerabilities on mailgo.ai and its subdomains.
• Issues impacting the confidentiality, integrity, or availability of user data or platform functionality, such as:
  • Cross-Site Scripting (XSS) on mailgo.ai or core platform features.
  • Unauthorized access to user accounts or data.
  • Flaws in AI-driven features (e.g., email generation, scheduling, or lead prioritization) that could expose data.
  • Vulnerabilities in email verification or email guess features affecting deliverability or privacy.

What’s Out of Scope?

To keep reports actionable, the following are generally excluded:

• Automated scan outputs without validated proof of exploitability.
• Non-security bugs (e.g., UI glitches, broken links, or performance issues).
• SMTP issues (e.g., SPF/DKIM/DMARC misconfigurations) without a demonstrated exploit.
• Clickjacking without a practical, impactful exploit.
• Missing DNSSEC or SSL/TLS best practices (e.g., BEAST, BREACH) without a realistic exploit.
• Missing cookie security flags unless tied to a clear vulnerability.
• Public data disclosure (e.g., software versions) without a direct security impact.
• Third-party service vulnerabilities (e.g., Stripe, Google, Microsoft integrations) unless directly exploitable on Mailgo’s platform.
• Missing HTTP security headers (e.g., CSP, HSTS) without a specific exploit.
• Self-XSS vulnerabilities or issues requiring excessive user interaction.
• Brute force, rate-limiting, or Denial of Service (DoS) attacks.
• Content spoofing or text injection without an exploitable payload.
• Host header injection without a demonstrated exploit.
• Software version disclosure unless linked to a known, exploitable vulnerability.
• Missing CSRF tokens on non-sensitive pages.
• Vulnerabilities affecting outdated browsers (more than two stable versions behind the latest release).
• Social engineering attacks (e.g., phishing, impersonation).
• AI-generated prompt engineering to evoke inappropriate responses.

Eligibility for Rewards

To qualify for a reward or recognition:

• The issue must affect the latest public version of mailgo.ai.
• You must be the first to report the issue—duplicates are ineligible.
• Provide a proof of concept (e.g., screenshots, code, or video) demonstrating exploitability.
• Do not publicly disclose the issue without Mailgo’s written consent.
• Include detailed reproduction steps, a video, or a clear how-to guide.
• The issue must be in scope and have a demonstrable security impact.

Safe Harbor

Mailgo commits to not pursuing legal action against researchers who act in good faith and comply with this VDP’s guidelines. If your research involves third-party systems (e.g., Gmail or Outlook integrations), we cannot authorize testing on those systems, and you must follow their respective policies. If a third party initiates legal action, Mailgo will confirm your compliance with this VDP to support your good-faith efforts, provided you’ve adhered to all guidelines.

How to Report

Submit reports using HuntBug’s platform with:

• Subject line: “VDP: [Vulnerability Name] – [Severity]”
• A detailed description of the vulnerability.
• Proof of concept, reproduction steps, or a video demonstration.
• CVSS calculator output and your self-assessed severity.
• Your contact details (real name and email) for verification and payment.

Encrypt sensitive reports using our PGP key, available on mailgo.ai. By submitting, you grant Mailgo a perpetual, irrevocable, no-charge license to all intellectual property rights related to your submission. Notify us if your report involves third-party intellectual property.

Guidelines for Responsible Testing

• Minimize impact. Avoid accessing, storing, or sharing sensitive user data (e.g., personal information, credentials) beyond what’s necessary to demonstrate the vulnerability. Delete all copies of sensitive data after reporting.
• No disruptive actions. Refrain from activities that could harm Mailgo’s platform or users, such as social engineering, phishing, or Denial of Service attacks.
• Stay in scope. Test only against accounts you own or have explicit permission to test. Avoid automated scanners that could disrupt systems or trigger state changes.
• Responsible disclosure. Do not share vulnerability details with third parties or publicly without Mailgo’s explicit written permission.

Spam Prevention

To ensure high-quality submissions:

• Avoid unvalidated automated scan reports—always include a proof of concept.
• Prioritize detailed, high-impact reports over quantity.
• Repeated low-quality, out-of-scope, or duplicate submissions may lead to temporary or permanent exclusion.
• Reports containing AI-generated “slop” (e.g., hallucinated vulnerabilities or vague technical content) will be rejected as spam.

Our Commitment to Researchers

We value the security community’s contributions and review all reports promptly. Valid, high-impact vulnerabilities may earn rewards or public recognition (with your consent). Even out-of-scope but valuable reports may receive acknowledgment at our discretion.

Thank You

Thank you for helping keep Mailgo secure. Your efforts protect our users and strengthen our AI-powered cold email platform. Together, we’re building a safer, more reliable digital ecosystem.