At Polymail, we recognize that no technology is flawless. We believe that collaborating with security researchers around the world is essential to maintaining the integrity and safety of our systems.

If you believe you’ve discovered a potential security vulnerability in Polymail, we encourage you to report it to us. We’re committed to working with you to investigate and resolve the issue promptly and responsibly.

Reporting Guidelines

If you’ve identified a security issue, please:

• Report it to us as soon as possible.

• Allow us reasonable time to investigate and resolve the issue before disclosing it to the public or third parties.

• Make a good faith effort to avoid privacy violations, service disruptions, or data loss.

• Only test with accounts you own or have explicit permission to access.

• Limit your testing to a maximum of five accounts. If you need more for testing purposes, contact us for approval.

Excluded Activities

While researching, please do not engage in the following:

• Denial of Service (DoS) attacks

• Spamming

• Social engineering (e.g., phishing) of Polymail staff or contractors

• Physical attempts to access Polymail offices, infrastructure, or data centers

• Out-of-Scope Vulnerabilities

We do not consider the following issues to be within the scope of this policy:

• Presence or absence of DMARC, SPF, or DKIM records

• XSS vulnerabilities on domains other than app.polymail.io

• Safe Harbor

If your actions are consistent with this policy:

We will treat them as authorized and will not pursue legal action.

If a third party initiates legal action against you, we will clarify that your actions were in line with our responsible disclosure policy.

Bug Bounty Notice

Please note: Polymail does not currently offer a bug bounty program. While we deeply appreciate reports that help improve our security, we do not provide monetary rewards at this time.