Bug bounty

Correct.email Vulnerability Reward Program (CRP)

Correct.email - Bug Bounty Program

Correct.email recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.

Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Correct.email account has been compromised, change your password and contact immediately.

Responsible Disclosure

Responsible disclosure includes:

  1. Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
  2. Making a good faith effort to not leak or destroy any Correct.email user data.
  3. Not defrauding Correct.email users or Correct.email itself in the process of discovery.

In order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.

Social Engineering

You are not allowed to conduct social engineering attacks against our support team. This will most likely result in your account being closed and no bounty will be awarded.


The minimum payout is $10 USD and an entry in our hall of fame for reporting a new security vulnerability which results in a code or configuration change on our part. There is no maximum reward, and we may award higher amounts based on the severity or creativity of the vulnerability found. Researchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.

We use the following table as a guideline for determining reward amounts:

Remote Code Execution$100
Significant manipulation of account balance$100
XSS/CSRF/Clickjacking affecting sensitive actions [1]$100
Theft of privileged information [2]$100
Partial authentication bypass$100
Other XSS (excluding Self-XSS)$100
Other vulnerability with clear potential for financial or data loss$100
Other CSRF (excluding logout CSRF)$100
Other best practice or defense in depth$10

[1] Sensitive actions include: depositing, trading, or sending money; OAuth or API Key actions

[2] Privileged information includes: passwords, API keys, bank account numbers, social security numbers or equivalent


All services provided by Correct.email are eligible for our bug bounty program, including the Correct.email Wallet, API, Merchant Tools, and Exchange.

In general, anything which has the potential for financial loss or data breach is of sufficient severity, including:

  • XSS
  • CSRF
  • Authentication bypass or privilege escalation
  • Click jacking
  • Remote code execution
  • Obtaining user information
  • Accounting errors

In general, the following would not meet the threshold for severity:

  • Lack of password length restrictions
  • Merely showing that a page can be iFramed without finding a link on the page to be click-jacked.
  • Self-XSS
  • Denial of service
  • Spamming
  • Vulnerabilities in third party applications which make use of the Correct.email API
  • Vulnerabilities which involve privileged access (e.g. rooting a phone) to a victim’s device(s)
  • Logout CSRF
  • User existence/enumeration vulnerabilities
  • Password complexity requirements
  • Reports from automated tools or scans (without accompanying demonstration of exploitability)
  • Social engineering attacks against Correct.email employees or contractors
  • Text-only injection in error pages
  • Automatic hyperlink construction by 3rd party email providers
  • Using email mutations (+, ., etc) to create multiple accounts for a single email

The following domains are hosted currently eligible for our bug bounty program:

  • correct.email
  • app.correct.email
  • admin.correct.email
  • aff.correct.email

Correct.email will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.

By submitting a bug, you agree to be bound by the above rules.