<!doctype html><html lang="en" class="no-script"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link rel="preload" as="font" type="font/woff2" href="/assets/fonts/roca/rocaone-rg-webfont.woff2" crossorigin><link rel="preload" as="font" type="font/woff2" href="/assets/fonts/proximanova/basic/proximanova-regular.woff2" crossorigin><link rel="preload" as="font" type="font/woff2" href="/assets/fonts/proximanova/basic/proximanova-semibold.woff2" crossorigin><link rel="preload" as="font" type="font/woff2" href="/assets/fonts/proximanova/basic/proximanova-bold.woff2" crossorigin><title>Security Issue Reporting | Fastmail</title><meta property="og:title" content="Security Issue Reporting"><meta name="twitter:title" content="Security Issue Reporting"><link rel="canonical" href="https://www.fastmail.com/bug-bounty/"><meta property="og:url" content="https://www.fastmail.com/bug-bounty/"><meta property="og:site_name" content="Fastmail"><meta name="twitter:site" content="@Fastmail"><meta name="twitter:creator" content="@Fastmail"><meta property="og:image" content="https://www.fastmail.com/assets/images/opengraph/Fastmail-OG.png"><meta name="twitter:image" content="https://www.fastmail.com/assets/images/opengraph/Fastmail-OG.png"><meta property="og:image:type" content="png"><meta property="og:image:width" content="1200"><meta property="og:image:height" content="630"><meta name="twitter:card" content="summary_large_image"><meta property="og:type" content="website"><meta property="eleventy:path" content="./source/content/legal/disclosure/bug-bounty.md"><script>document.querySelector("html").classList.remove("no-script");function run(o){document.readyState==="loading"?document.addEventListener("DOMContentLoaded",o):o()}(function(){if("fonts"in document){if(sessionStorage.fontsLoaded){document.documentElement.classList.add("fonts-loaded-2");return}Promise.all([document.fonts.load("400 1em 'Proxima Nova'"),document.fonts.load("400 1em roca")]).then(function(){document.documentElement.classList.add("fonts-loaded-1"),Promise.all([document.fonts.load("600 1em 'Proxima Nova'"),document.fonts.load("700 1em 'Proxima Nova'"),document.fonts.load("100 1em roca"),document.fonts.load("300 1em roca")]).then(function(){document.documentElement.classList.remove("fonts-loaded-1"),document.documentElement.classList.add("fonts-loaded-2"),sessionStorage.fontsLoaded=!0})})}})(); </script><style> /*! * Web Fonts from Fontspring.com * * All OpenType features and all extended glyphs have been removed. * Fully installable fonts can be purchased at http://www.fontspring.com * * The fonts included in this stylesheet are subject to the End User License you purchased * from Fontspring. The fonts are protected under domestic and international trademark and * copyright law. You are prohibited from modifying, reverse engineering, duplicating, or * distributing this font software. * * (c) 2010-2024 Fontspring * * The fonts included are copyrighted by the vendors listed below. * * Vendor: Mark Simonson Studio * License URL: https://www.fontspring.com/licenses/mark-simonson-studio/webfont * * Vendor: My Creative Land * License URL: https://www.fontspring.com/license/my-creative-land/webfont */@font-face{descent-override:55%;font-family:Georgia Roca Fallback;font-style:normal;size-adjust:90%;src:local(Georgia-Bold)}@font-face{font-display:swap;font-family:roca;font-style:normal;font-weight:100;src:url(/assets/fonts/roca/rocaone-th-webfont.woff2) format("woff2")}@font-face{font-display:swap;font-family:roca;font-style:normal;font-weight:300;src:url(/assets/fonts/roca/rocaone-lt-webfont.woff2) format("woff2")}@font-face{font-display:swap;font-family:roca;font-style:normal;font-weight:400;src:url(/assets/fonts/roca/rocaone-rg-webfont.woff2) format("woff2")}@font-face{font-display:swap;font-family:Proxima Nova;font-style:normal;font-weight:300;src:local("Proxima Nova Light"),local("ProximaNova-Light"),url(/assets/fonts/proximanova/basic/proximanova-light.woff2) format("woff2"),url(/assets/fonts/proximanova/basic/proximanova-light.woff) format("woff");unicode-range:u+0000-007e,u+00a0-00a3,u+00a5,u+00a8-00a9,u+00ab,u+00ae,u+00b4,u+00b8,u+00bb,u+00bf-00c2,u+00c4,u+00c6-00cb,u+00cd-00cf,u+00d1,u+00d3-00d4,u+00d6,u+00d9-00dc,u+00df-00e2,u+00e4,u+00e6-00eb,u+00ed-00ef,u+00f1,u+00f3-00f4,u+00f6,u+00f9-00fc,u+00ff,u+0152-0153,u+0178,u+02c6,u+02da,u+02dc,u+2013-2014,u+2018-201a,u+201c-201e,u+2022,u+2026,u+202f,u+2039-203a,u+20ac,u+2122}@font-face{font-display:swap;font-family:Proxima Nova;font-style:normal;font-weight:300;src:local("Proxima Nova Light"),local("ProximaNova-Light"),url(/assets/fonts/proximanova/extended/proximanova-light.woff2) format("woff2"),url(/assets/fonts/proximanova/extended/proximanova-light.woff) format("woff");unicode-range:u+007f-009f,u+00a4,u+00a6-00a7,u+00aa,u+00ac-00ad,u+00af-00b3,u+00b5-00b7,u+00b9-00ba,u+00bc-00be,u+00c3,u+00c5,u+00cc,u+00d0,u+00d2,u+00d5,u+00d7-00d8,u+00dd-00de,u+00e3,u+00e5,u+00ec,u+00f0,u+00f2,u+00f5,u+00f7-00f8,u+00fd-00fe,u+0100-0151,u+0154-0177,u+0179-02c5,u+02c7-02d9,u+02db,u+02dd-2012,u+2015-2017,u+201b,u+201f-2021,u+2023-2025,u+2027-202e,u+2030-2038,u+203b-20ab,u+20ad-2121,u+2123-fb04}@font-face{font-display:swap;font-family:Proxima Nova;font-style:normal;font-weight:400;src:local("Proxima Nova Regular"),local("ProximaNova-Regular"),url(/assets/fonts/proximanova/basic/proximanova-regular.woff2) format("woff2"),url(/assets/fonts/proximanova/basic/proximanova-regular.woff) format("woff");unicode-range:u+0000-007e,u+00a0-00a3,u+00a5,u+00a8-00a9,u+00ab,u+00ae,u+00b4,u+00b8,u+00bb,u+00bf-00c2,u+00c4,u+00c6-00cb,u+00cd-00cf,u+00d1,u+00d3-00d4,u+00d6,u+00d9-00dc,u+00df-00e2,u+00e4,u+00e6-00eb,u+00ed-00ef,u+00f1,u+00f3-00f4,u+00f6,u+00f9-00fc,u+00ff,u+0152-0153,u+0178,u+02c6,u+02da,u+02dc,u+2013-2014,u+2018-201a,u+201c-201e,u+2022,u+2026,u+202f,u+2039-203a,u+20ac,u+2122}@font-face{font-display:swap;font-family:Proxima Nova;font-style:normal;font-weight:400;src:local("Proxima Nova Regular"),local("ProximaNova-Regular"),url(/assets/fonts/proximanova/extended/proximanova-regular.woff2) format("woff2"),url(/assets/fonts/proximanova/extended/proximanova-regular.woff) format("woff");unicode-range:u+007f-009f,u+00a4,u+00a6-00a7,u+00aa,u+00ac-00ad,u+00af-00b3,u+00b5-00b7,u+00b9-00ba,u+00bc-00be,u+00c3,u+00c5,u+00cc,u+00d0,u+00d2,u+00d5,u+00d7-00d8,u+00dd-00de,u+00e3,u+00e5,u+00ec,u+00f0,u+00f2,u+00f5,u+00f7-00f8,u+00fd-00fe,u+0100-0151,u+0154-0177,u+0179-02c5,u+02c7-02d9,u+02db,u+02dd-2012,u+2015-2017,u+201b,u+201f-2021,u+2023-2025,u+2027-202e,u+2030-2038,u+203b-20ab,u+20ad-2121,u+2123-fb04}@font-face{font-display:swap;font-family:Proxima Nova;font-style:italic;font-weight:400;src:local("Proxima Nova Regular Italic"),local("ProximaNova-RegularIt"),url(/assets/fonts/proximanova/basic/proximanova-regularit.woff2) format("woff2"),url(/assets/fonts/proximanova/basic/proximanova-regularit.woff) format("woff");unicode-range:u+0000-007e,u+00a0-00a3,u+00a5,u+00a8-00a9,u+00ab,u+00ae,u+00b4,u+00b8,u+00bb,u+00bf-00c2,u+00c4,u+00c6-00cb,u+00cd-00cf,u+00d1,u+00d3-00d4,u+00d6,u+00d9-00dc,u+00df-00e2,u+00e4,u+00e6-00eb,u+00ed-00ef,u+00f1,u+00f3-00f4,u+00f6,u+00f9-00fc,u+00ff,u+0152-0153,u+0178,u+02c6,u+02da,u+02dc,u+2013-2014,u+2018-201a,u+201c-201e,u+2022,u+2026,u+202f,u+2039-203a,u+20ac,u+2122}@font-face{font-display:swap;font-family:Proxima Nova;font-style:italic;font-weight:400;src:local("Proxima Nova Regular Italic"),local("ProximaNova-RegularIt"),url(/assets/fonts/proximanova/extended/proximanova-regularit.woff2) format("woff2"),url(/assets/fonts/proximanova/extended/proximanova-regularit.woff) format("woff");unicode-range:u+007f-009f,u+00a4,u+00a6-00a7,u+00aa,u+00ac-00ad,u+00af-00b3,u+00b5-00b7,u+00b9-00ba,u+00bc-00be,u+00c3,u+00c5,u+00cc,u+00d0,u+00d2,u+00d5,u+00d7-00d8,u+00dd-00de,u+00e3,u+00e5,u+00ec,u+00f0,u+00f2,u+00f5,u+00f7-00f8,u+00fd-00fe,u+0100-0151,u+0154-0177,u+0179-02c5,u+02c7-02d9,u+02db,u+02dd-2012,u+2015-2017,u+201b,u+201f-2021,u+2023-2025,u+2027-202e,u+2030-2038,u+203b-20ab,u+20ad-2121,u+2123-fb04}@font-face{font-display:swap;font-family:Proxima Nova;font-style:normal;font-weight:500;src:local("Proxima Nova Medium"),local("ProximaNova-Medium"),url(/assets/fonts/proximanova/basic/proximanova-medium.woff2) format("woff2"),url(/assets/fonts/proximanova/basic/proximanova-medium.woff) format("woff");unicode-range:u+0000-007e,u+00a0-00a3,u+00a5,u+00a8-00a9,u+00ab,u+00ae,u+00b4,u+00b8,u+00bb,u+00bf-00c2,u+00c4,u+00c6-00cb,u+00cd-00cf,u+00d1,u+00d3-00d4,u+00d6,u+00d9-00dc,u+00df-00e2,u+00e4,u+00e6-00eb,u+00ed-00ef,u+00f1,u+00f3-00f4,u+00f6,u+00f9-00fc,u+00ff,u+0152-0153,u+0178,u+02c6,u+02da,u+02dc,u+2013-2014,u+2018-201a,u+201c-201e,u+2022,u+2026,u+202f,u+2039-203a,u+20ac,u+2122}@font-face{font-display:swap;font-family:Proxima Nova;font-style:normal;font-weight:500;src:local("Proxima Nova Medium"),local("ProximaNova-Medium"),url(/assets/fonts/proximanova/extended/proximanova-medium.woff2) format("woff2"),url(/assets/fonts/proximanova/extended/proximanova-medium.woff) format("woff");unicode-range:u+007f-009f,u+00a4,u+00a6-00a7,u+00aa,u+00ac-00ad,u+00af-00b3,u+00b5-00b7,u+00b9-00ba,u+00bc-00be,u+00c3,u+00c5,u+00cc,u+00d0,u+00d2,u+00d5,u+00d7-00d8,u+00dd-00de,u+00e3,u+00e5,u+00ec,u+00f0,u+00f2,u+00f5,u+00f7-00f8,u+00fd-00fe,u+0100-0151,u+0154-0177,u+0179-02c5,u+02c7-02d9,u+02db,u+02dd-2012,u+2015-2017,u+201b,u+201f-2021,u+2023-2025,u+2027-202e,u+2030-2038,u+203b-20ab,u+20ad-2121,u+2123-fb04}@font-face{font-display:swap;font-family:Proxima Nova;font-style:normal;font-weight:600;src:local("Proxima Nova Semibold"),local("ProximaNova-Semibold"),url(/assets/fonts/proximanova/basic/proximanova-semibold.woff2) format("woff2"),url(/assets/fonts/proximanova/basic/proximanova-semibold.woff) format("woff");unicode-range:u+0000-007e,u+00a0-00a3,u+00a5,u+00a8-00a9,u+00ab,u+00ae,u+00b4,u+00b8,u+00bb,u+00bf-00c2,u+00c4,u+00c6-00cb,u+00cd-00cf,u+00d1,u+00d3-00d4,u+00d6,u+00d9-00dc,u+00df-00e2,u+00e4,u+00e6-00eb,u+00ed-00ef,u+00f1,u+00f3-00f4,u+00f6,u+00f9-00fc,u+00ff,u+0152-0153,u+0178,u+02c6,u+02da,u+02dc,u+2013-2014,u+2018-201a,u+201c-201e,u+2022,u+2026,u+202f,u+2039-203a,u+20ac,u+2122}@font-face{font-display:swap;font-family:Proxima Nova;font-style:normal;font-weight:600;src:local("Proxima Nova Semibold"),local("ProximaNova-Semibold"),url(/assets/fonts/proximanova/extended/proximanova-semibold.woff2) format("woff2"),url(/assets/fonts/proximanova/extended/proximanova-semibold.woff) format("woff");unicode-range:u+007f-009f,u+00a4,u+00a6-00a7,u+00aa,u+00ac-00ad,u+00af-00b3,u+00b5-00b7,u+00b9-00ba,u+00bc-00be,u+00c3,u+00c5,u+00cc,u+00d0,u+00d2,u+00d5,u+00d7-00d8,u+00dd-00de,u+00e3,u+00e5,u+00ec,u+00f0,u+00f2,u+00f5,u+00f7-00f8,u+00fd-00fe,u+0100-0151,u+0154-0177,u+0179-02c5,u+02c7-02d9,u+02db,u+02dd-2012,u+2015-2017,u+201b,u+201f-2021,u+2023-2025,u+2027-202e,u+2030-2038,u+203b-20ab,u+20ad-2121,u+2123-fb04}@font-face{font-display:swap;font-family:Proxima Nova;font-style:normal;font-weight:700;src:local("Proxima Nova Bold"),local("ProximaNova-Bold"),url(/assets/fonts/proximanova/basic/proximanova-bold.woff2) format("woff2"),url(/assets/fonts/proximanova/basic/proximanova-bold.woff) format("woff");unicode-range:u+0000-007e,u+00a0-00a3,u+00a5,u+00a8-00a9,u+00ab,u+00ae,u+00b4,u+00b8,u+00bb,u+00bf-00c2,u+00c4,u+00c6-00cb,u+00cd-00cf,u+00d1,u+00d3-00d4,u+00d6,u+00d9-00dc,u+00df-00e2,u+00e4,u+00e6-00eb,u+00ed-00ef,u+00f1,u+00f3-00f4,u+00f6,u+00f9-00fc,u+00ff,u+0152-0153,u+0178,u+02c6,u+02da,u+02dc,u+2013-2014,u+2018-201a,u+201c-201e,u+2022,u+2026,u+202f,u+2039-203a,u+20ac,u+2122}@font-face{font-display:swap;font-family:Proxima Nova;font-style:normal;font-weight:700;src:local("Proxima Nova Bold"),local("ProximaNova-Bold"),url(/assets/fonts/proximanova/extended/proximanova-bold.woff2) format("woff2"),url(/assets/fonts/proximanova/extended/proximanova-bold.woff) format("woff");unicode-range:u+007f-009f,u+00a4,u+00a6-00a7,u+00aa,u+00ac-00ad,u+00af-00b3,u+00b5-00b7,u+00b9-00ba,u+00bc-00be,u+00c3,u+00c5,u+00cc,u+00d0,u+00d2,u+00d5,u+00d7-00d8,u+00dd-00de,u+00e3,u+00e5,u+00ec,u+00f0,u+00f2,u+00f5,u+00f7-00f8,u+00fd-00fe,u+0100-0151,u+0154-0177,u+0179-02c5,u+02c7-02d9,u+02db,u+02dd-2012,u+2015-2017,u+201b,u+201f-2021,u+2023-2025,u+2027-202e,u+2030-2038,u+203b-20ab,u+20ad-2121,u+2123-fb04}@font-face{font-display:swap;font-family:Proxima Nova;font-style:italic;font-weight:700;src:local("Proxima Nova Bold Italic"),local("ProximaNova-BoldIt"),url(/assets/fonts/proximanova/basic/proximanova-boldit.woff2) format("woff2"),url(/assets/fonts/proximanova/basic/proximanova-boldit.woff) format("woff");unicode-range:u+0000-007e,u+00a0-00a3,u+00a5,u+00a8-00a9,u+00ab,u+00ae,u+00b4,u+00b8,u+00bb,u+00bf-00c2,u+00c4,u+00c6-00cb,u+00cd-00cf,u+00d1,u+00d3-00d4,u+00d6,u+00d9-00dc,u+00df-00e2,u+00e4,u+00e6-00eb,u+00ed-00ef,u+00f1,u+00f3-00f4,u+00f6,u+00f9-00fc,u+00ff,u+0152-0153,u+0178,u+02c6,u+02da,u+02dc,u+2013-2014,u+2018-201a,u+201c-201e,u+2022,u+2026,u+202f,u+2039-203a,u+20ac,u+2122}@font-face{font-display:swap;font-family:Proxima Nova;font-style:italic;font-weight:700;src:local("Proxima Nova Bold Italic"),local("ProximaNova-BoldIt"),url(/assets/fonts/proximanova/extended/proximanova-boldit.woff2) format("woff2"),url(/assets/fonts/proximanova/extended/proximanova-boldit.woff) format("woff");unicode-range:u+007f-009f,u+00a4,u+00a6-00a7,u+00aa,u+00ac-00ad,u+00af-00b3,u+00b5-00b7,u+00b9-00ba,u+00bc-00be,u+00c3,u+00c5,u+00cc,u+00d0,u+00d2,u+00d5,u+00d7-00d8,u+00dd-00de,u+00e3,u+00e5,u+00ec,u+00f0,u+00f2,u+00f5,u+00f7-00f8,u+00fd-00fe,u+0100-0151,u+0154-0177,u+0179-02c5,u+02c7-02d9,u+02db,u+02dd-2012,u+2015-2017,u+201b,u+201f-2021,u+2023-2025,u+2027-202e,u+2030-2038,u+203b-20ab,u+20ad-2121,u+2123-fb04}</style><link rel="stylesheet" href="/assets/css/main-a7851194.css"><link rel="stylesheet" href="/assets/css/tOOgjenq8m.css"><link rel="icon" href="/favicon.ico?v=64679438" sizes="48x48"><link rel="icon" href="/favicon.svg?v=5843ac65" sizes="any" type="image/svg+xml"><link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png?v=961604de"><link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png?v=10da1173"><link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png?v=79a96923"><link rel="manifest" href="/site.webmanifest?v=310b8694"><link rel="mask-icon" href="/safari-pinned-tab.svg?v=857521d6" color="#176bad"><meta name="msapplication-TileColor" content="#1f5077"><script type="module" src="/assets/js/vendor-5cdf60a8.js"></script><script type="module" src="/assets/js/main-5d19a6d9.js"></script><script type="module" src="/assets/js/HTFMUSDjYA.js"></script></head><body class="font-sans text-fg"> <!--/* INJECT_BANNER */--> <div class="grid-body"> <div class="after:bg-transparent header-container sticky top-0 z-[9999]"> <div class="absolute h-full header-background-stuck left-0 top-0 w-full"></div> <div class="absolute h-full header-background-initial left-0 top-0 w-full"></div> <header id="header" class="flex h-header items-center relative select-none text-fx-lg wrapper"> <div class="flex flex-none h-full items-center relative"> <a href="/"><span class="sr-only">Home</span> <svg class="fill-[--logo-wordmark] i-fm-wordmark-logo w-[120px]" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" viewbox="0 0 952.5 203.6"> <path d="M21.4 101.8a80.4 80.4 0 0 1 147.3-44.6l15.8 3.1 2-15A101.83 101.83 0 0 0 101.8 0C45.6 0 0 45.6 0 101.8c0 20.9 6.3 40.3 17.1 56.5l15.3 2 2.5-13.9a80.31 80.31 0 0 1-13.5-44.6z" fill="#0067b9"></path> <path d="M186.7 45.7c-.1-.1-.2-.2-.3-.4l-17.8 11.9c.1.1.2.2.3.4a79.89 79.89 0 0 1 13.3 44.2c0 44.4-36 80.4-80.4 80.4-27.7 0-52.2-14-66.6-35.4-.1-.1-.2-.3-.2-.4l-17.8 11.9c.1.1.2.3.2.4a101.7 101.7 0 0 0 84.4 44.9c56.2 0 101.8-45.6 101.8-101.8 0-20.7-6.2-40-16.9-56.1z" fill="#69b3e7"></path> <path d="M101.8 101.8 53.4 69.5V134c.5-.3.9-.6 0 0l30.4-9.4 18-22.8z" fill="#ffc107"></path> <path class="fill-inherit" d="M53.4 134h93.4c1.9 0 3.4-1.5 3.4-3.4V69.5L53.4 134zm292.5-99.1V54h-62.2v40h54.8v19.1h-54.8v55.5h-22.1V34.9h84.3zm89.8 132.6v1.1h-19.3c-.9-1.9-1.7-3.7-2.2-5.6-8.4 4.3-20.2 7.4-30.1 7.4-22.5 0-35.8-11.1-35.8-30.4 0-18.9 16.5-31.4 42-31.4 8.4 0 14.5.7 20.2 1.7v-2.8c0-13.9-8.4-20.8-23.4-20.8-9.1 0-18.9 1.5-28.8 4.8l-5.4-15.4c12.6-4.6 24.3-7.1 36.4-7.1 16.2 0 25.6 4.1 32.1 10.4 6.7 6.7 9.7 16.3 9.7 28V138c-.1 9.8 1.2 20.6 4.6 29.5zm-48.3-13.6c7.4 0 16.2-1.9 23-5.4V125c-5.9-1.1-10.6-1.7-18.8-1.7-15.2 0-23 5.9-23 15.8 0 10 6.7 14.8 18.8 14.8zm136-79.1-5.2 15.6c-9.8-3-19.7-4.5-29.5-4.5-11.9 0-17.5 4.5-17.5 10.6 0 6.3 4.3 10 19.9 13.9 27.7 6.9 37.9 15.4 37.9 30.1 0 19.9-14.9 29.9-42 29.9-13.2 0-26.7-2.2-39.4-6.5l5.4-15.6c11 3.3 23.6 5.4 34 5.4 14.9 0 21.4-3.9 21.4-11.1 0-5.9-4.5-9.8-23.2-14.3-25.4-6.1-34.2-15-34.2-30.6 0-16.5 13.4-28.6 37.7-28.6 12.2 0 23.7 2 34.7 5.7zm78.2 91.6c-6.3 2.6-14.9 4.1-22.1 4.1-8.5 0-16.3-2.2-21.2-7.1-5-5-7.2-11.5-7.2-22.5V88.6h-15.8V70.9h15.8V47.4h21.2V71H597v17.6h-24.7v49.6c0 10 4.5 14.5 13 14.5 4.5 0 9.3-.9 13.2-2l3.1 15.7zm160.7-62v64.2H741v-61.1c0-12.8-7.8-20.2-20.2-20.2-7.6 0-15.8 1.9-21.7 5.2v76.1h-21.2v-61.8c0-13.7-6.9-19.5-18.8-19.5-6.9 0-15.6 2.2-23 6.3v75h-21.4V70.9h20.1v6.7c8.7-5.2 20.6-8.5 31.9-8.5 9.8 0 19.1 3.5 25.8 9.7 9.8-5.9 22.8-9.7 35.5-9.7 10.8 0 19.9 3.5 25.4 9.3 6.3 6.3 8.9 14.3 8.9 26zm104.1 63.1v1.1h-19.3c-.9-1.9-1.7-3.7-2.2-5.6-8.4 4.3-20.2 7.4-30.1 7.4-22.5 0-35.8-11.1-35.8-30.4 0-18.9 16.5-31.4 42-31.4 8.4 0 14.5.7 20.2 1.7v-2.8c0-13.9-8.4-20.8-23.4-20.8-9.1 0-18.9 1.5-28.8 4.8l-5.4-15.4c12.6-4.6 24.3-7.1 36.4-7.1 16.2 0 25.6 4.1 32.1 10.4 6.7 6.7 9.7 16.3 9.7 28V138c-.1 9.8 1.2 20.6 4.6 29.5zm-48.3-13.6c7.4 0 16.2-1.9 23-5.4V125c-5.9-1.1-10.6-1.7-18.8-1.7-15.2 0-23 5.9-23 15.8.1 10 6.7 14.8 18.8 14.8zm88.7-120.1v18.4h-21.4V33.8h21.4zm0 37.1v97.7h-21.4V70.9h21.4zm45.7-39.7v137.4h-21.3V31.2h21.3z" fill="currentColor"></path> </svg> </a> </div> <div class="navigation-wrapper z-0"> <input id="menu-toggle" type="checkbox" role="button" aria-controls="primary-navigation" aria-expanded="false" aria-haspopup="true"> <label for="menu-toggle"> <span class="collasped-text sr-only">Open menu</span> <span class="expanded-text sr-only">Hide menu</span> <svg class="i-hamburger size-icon-lg stroke-[2.25]" stroke="currentColor" stroke-width="1.25" stroke-linecap="round" stroke-linejoin="round" fill="none" aria-hidden="true" xmlns="http://www.w3.org/2000/svg" viewbox="0 0 32 32"> <path d="M5 9H27"></path> <path d="M5 16H27"></path> <path d="M5 23H27"></path> </svg> </label> <div id="side-nav-overlay" class="lg:hidden"></div> <ul id="primary-navigation"> <li class="bg-white left-0 lg:hidden sticky top-0 w-full z-10"></li> <li class="top-level-wrapper"> <a href="/features/" class="block top-level-nav-item"> <div class="label-wrapper"> <p class="text-fx-lg trim">Product tour</p> </div> </a> </li> <li class="top-level-wrapper"> <a href="/business/" class="block top-level-nav-item"> <div class="label-wrapper"> <p class="text-fx-lg trim">For business</p> </div> </a> </li> <li class="top-level-wrapper"> <details name="top-level" class="group/details"> <summary class="expandable top-level-nav-item"> <div class="label-wrapper"> <p class="text-fx-lg trim">Support & Resources</p> </div> <svg xmlns="http://www.w3.org/2000/svg" class="fill-none group-open/details:rotate-180 size-icon-sm" stroke="currentColor" stroke-width="1.25" stroke-linecap="round" stroke-linejoin="round" fill="none" aria-hidden="true"> <use class="i-chevron" href="#i-chevron"></use> </svg> </summary> <ul class="second-level-wrapper"> <li> <p class="font-semibold lg:text-fx-lg text-fx-lg trim">Support</p> <ul class="third-level-wrapper"> <li> <a href="https://fastmail.help/" class="group"> <p class="lg:max-w-max py-fx-4 text-fx-lg trim whitespace-nowrap"> <span class="lg:[--link-color:--theme-fg] lg:group-hover:link-underline lg:link whitespace-normal"> Fastmail help center</span> </p> </a> </li> <li> <a href="/support/" class="group"> <p class="lg:max-w-max py-fx-4 text-fx-lg trim whitespace-nowrap"> <span class="lg:[--link-color:--theme-fg] lg:group-hover:link-underline lg:link whitespace-normal"> Contact Fastmail support</span> </p> </a> </li> <li> <a href="https://fastmailstatus.com/" class="group"> <p class="lg:max-w-max py-fx-4 text-fx-lg trim whitespace-nowrap"> <span class="lg:[--link-color:--theme-fg] lg:group-hover:link-underline lg:link whitespace-normal"> System status</span> </p> </a> </li> <li> <a href="/bug-bounty/" class="group"> <p class="lg:max-w-max py-fx-4 text-fx-lg trim whitespace-nowrap"> <span class="current-page lg:[--link-color:--theme-fg] lg:group-hover:link-underline lg:link relative whitespace-normal"> Report a security issue</span> </p> </a> </li> </ul> </li> <li> <p class="font-semibold lg:text-fx-lg text-fx-lg trim">How to</p> <ul class="third-level-wrapper"> <li> <a href="/how-to/move-from-gmail/" class="group"> <p class="lg:max-w-max py-fx-4 text-fx-lg trim whitespace-nowrap"> <span class="lg:[--link-color:--theme-fg] lg:group-hover:link-underline lg:link whitespace-normal"> Move from Gmail</span> </p> </a> </li> <li> <a href="/how-to/move-from-outlook/" class="group"> <p class="lg:max-w-max py-fx-4 text-fx-lg trim whitespace-nowrap"> <span class="lg:[--link-color:--theme-fg] lg:group-hover:link-underline lg:link whitespace-normal"> Move from Outlook</span> </p> </a> </li> <li> <a href="/how-to/move-from-yahoo/" class="group"> <p class="lg:max-w-max py-fx-4 text-fx-lg trim whitespace-nowrap"> <span class="lg:[--link-color:--theme-fg] lg:group-hover:link-underline lg:link whitespace-normal"> Move from Yahoo</span> </p> </a> </li> <li> <a href="/how-to/move-from-proton/" class="group"> <p class="lg:max-w-max py-fx-4 text-fx-lg trim whitespace-nowrap"> <span class="lg:[--link-color:--theme-fg] lg:group-hover:link-underline lg:link whitespace-normal"> Move from Proton</span> </p> </a> </li> <li> <a href="/how-to/move-from-hey/" class="group"> <p class="lg:max-w-max py-fx-4 text-fx-lg trim whitespace-nowrap"> <span class="lg:[--link-color:--theme-fg] lg:group-hover:link-underline lg:link whitespace-normal"> Move from HEY</span> </p> </a> </li> <li> <a href="/how-to/email-for-your-domain/" class="group"> <p class="lg:max-w-max py-fx-4 text-fx-lg trim whitespace-nowrap"> <span class="lg:[--link-color:--theme-fg] lg:group-hover:link-underline lg:link whitespace-normal"> Get email for your domain</span> </p> </a> </li> <li> <a href="/how-to/stop-spam/" class="group"> <p class="lg:max-w-max py-fx-4 text-fx-lg trim whitespace-nowrap"> <span class="lg:[--link-color:--theme-fg] lg:group-hover:link-underline lg:link whitespace-normal"> Stop spam</span> </p> </a> </li> <li> <a href="/how-to/inbox-zero/" class="group"> <p class="lg:max-w-max py-fx-4 text-fx-lg trim whitespace-nowrap"> <span class="lg:[--link-color:--theme-fg] lg:group-hover:link-underline lg:link whitespace-normal"> Achieve inbox zero</span> </p> </a> </li> </ul> </li> <li> <p class="font-semibold lg:text-fx-lg text-fx-lg trim">Resources</p> <ul class="third-level-wrapper"> <li> <a href="/blog/" class="group"> <p class="lg:max-w-max py-fx-4 text-fx-lg trim whitespace-nowrap"> <span class="lg:[--link-color:--theme-fg] lg:group-hover:link-underline lg:link whitespace-normal"> Blog</span> </p> </a> </li> <li> <a href="/digitalcitizen/" class="group"> <p class="lg:max-w-max py-fx-4 text-fx-lg trim whitespace-nowrap"> <span class="lg:[--link-color:--theme-fg] lg:group-hover:link-underline lg:link whitespace-normal"> Podcast</span> </p> </a> </li> <li> <a href="/company/about/" class="group"> <p class="lg:max-w-max py-fx-4 text-fx-lg trim whitespace-nowrap"> <span class="lg:[--link-color:--theme-fg] lg:group-hover:link-underline lg:link whitespace-normal"> About us</span> </p> </a> </li> <li> <a href="/company/values/" class="group"> <p class="lg:max-w-max py-fx-4 text-fx-lg trim whitespace-nowrap"> <span class="lg:[--link-color:--theme-fg] lg:group-hover:link-underline lg:link whitespace-normal"> Our values</span> </p> </a> </li> <li> <a href="/dev/" class="group"> <p class="lg:max-w-max py-fx-4 text-fx-lg trim whitespace-nowrap"> <span class="lg:[--link-color:--theme-fg] lg:group-hover:link-underline lg:link whitespace-normal"> API Documentation</span> </p> </a> </li> </ul> </li> <li> <p class="font-semibold lg:text-fx-lg text-fx-lg trim">Download the app</p> <ul class="third-level-wrapper"> <li> <a href="https://apps.apple.com/us/app/fastmail-email-calendar/id931370077" class="group" target="_blank"> <p class="lg:max-w-max py-fx-4 text-fx-lg trim whitespace-nowrap"> <span class="lg:[--link-color:--theme-fg] lg:group-hover:link-underline lg:link whitespace-normal"> App Store</span> <svg xmlns="http://www.w3.org/2000/svg" class="align-text-bottom inline size-icon" stroke="currentColor" stroke-width="1.25" stroke-linecap="round" stroke-linejoin="round" fill="none" aria-labelledby="external-link-title-7d2ef2" role="graphics-symbol"> <title id="external-link-title-7d2ef2">Download Fastmail on the App Store</title> <use class="i-external-link" href="#i-external-link"></use> </svg> </p> </a> </li> <li> <a href="https://play.google.com/store/apps/details?id=com.fastmail.app" class="group" target="_blank"> <p class="lg:max-w-max py-fx-4 text-fx-lg trim whitespace-nowrap"> <span class="lg:[--link-color:--theme-fg] lg:group-hover:link-underline lg:link whitespace-normal"> Google Play</span> <svg xmlns="http://www.w3.org/2000/svg" class="align-text-bottom inline size-icon" stroke="currentColor" stroke-width="1.25" stroke-linecap="round" stroke-linejoin="round" fill="none" aria-labelledby="external-link-title-931c6c" role="graphics-symbol"> <title id="external-link-title-931c6c">Download Fastmail on Google Play</title> <use class="i-external-link" href="#i-external-link"></use> </svg> </p> </a> </li> </ul> </li> </ul> </details> </li> <li class="top-level-wrapper"> <a href="/pricing/" class="block top-level-nav-item"> <div class="label-wrapper"> <p class="text-fx-lg trim">Pricing</p> </div> </a> </li> <span class="flex-grow ge-[64rem]:hidden"></span> <li class="bg-white bottom-0 flex flex-col gap-fx-2 left-0 lg:hidden pb-fx-6 pt-fx-2 px-fx-4 right-0 sticky text-center"> <a href="https://app.fastmail.com/"> <p class="active:bg-grey-100/20 bg-grey-100/10 hover:bg-grey-100/15 py-fx-4 rounded-md text-blue-120 text-fx-lg trim w-full">Log in</p> </a> <a href="https://app.fastmail.com/signup/"> <p class="active:bg-blue-120 bg-blue-100 font-semibold hover:bg-blue-110 py-fx-4 rounded-md text-fx-lg text-white trim w-full">Try for free</p> </a> </li> </ul> </div> <ul class="flex flex-1 flex-row-reverse flex-wrap gap-x-fx-2 gap-y-fx-10 overflow-hidden self-stretch"> <li class="flex items-center lt-[22.5rem]:hidden min-h-header product-nav-wrapper"> <a href="https://app.fastmail.com/signup/"> <div class="active:bg-[--header-signup-bg-active] bg-[--header-signup-bg] border border-[--header-signup-border] flex hover:bg-[--header-signup-bg-hover] items-center px-fx-5 py-[10.5px] rounded-md text-nowrap"> <p class="font-semibold text-[--header-signup-fg] text-fx-lg trim">Try for free</p> </div> </a> </li> <li class="flex items-center lt-[22.5rem]:hidden overflow-hidden product-nav-wrapper whitespace-nowrap"> <a href="https://app.fastmail.com/" class="py-fx-3 top-level-nav-item"> <div class="label-wrapper mx-fx-5"> <p class="text-fx-lg trim">Log in</p> </div> </a> </li> </ul> </header> </div> <main class="flex lt-lg:flex-col"> <nav data-subnav class="bg-page-bg border-border-medium lg:-translate-y-[2px] lg:[--wrapper-width:24rem] lg:border-r lg:pt-l-5xl lg:w-[24rem] lt-lg:border-b max-h-[calc(100vh-var(--header-height))] overflow-auto prose-grid prose-width sticky top-header z-50"> <details data-mobile-subnav class="flex flex-grow group/parent lg:hidden"> <summary class="cursor-pointer flex font-semibold gap-2xs items-center marker:content-none marker:hidden py-xs"> <p class="font-semibold text-0 trim">Policies</p> <svg xmlns="http://www.w3.org/2000/svg" class="group-open/parent:rotate-180 size-icon-sm" stroke="currentColor" stroke-width="1.25" stroke-linecap="round" stroke-linejoin="round" fill="none" aria-hidden="true"> <use class="i-chevron" href="#i-chevron"></use> </svg> </summary> <a href="/policies/" class="hover:underline"> <p class="[line-height:--fixed-space-5] border-b border-border-medium py-xs text-0"> Return to overview </p> </a> <ul class="divide-border-medium divide-y"> <li> <details class="group/child"> <summary class="cursor-pointer flex gap-2xs items-center py-xs"> <p class="text-min-1 trim">End user policies</p> <svg xmlns="http://www.w3.org/2000/svg" class="group-open/child:rotate-180 size-icon-sm" stroke="currentColor" stroke-width="1.25" stroke-linecap="round" stroke-linejoin="round" fill="none" aria-hidden="true"> <use class="i-chevron" href="#i-chevron"></use> </svg> </summary> <ul class="pb-xs space-y-2xs"> <li> <a href="/policies/terms-of-service/" class="hover:underline text-accent"> <p class="py-xs text-min-1 trim">Terms of Service</p> </a> </li> <li> <a href="/policies/privacy/" class="hover:underline text-accent"> <p class="py-xs text-min-1 trim">Privacy policy</p> </a> </li> <li> <a href="/policies/cookies-policy/" class="hover:underline text-accent"> <p class="py-xs text-min-1 trim">Cookies policy</p> </a> </li> <li> <a href="/policies/transparency-report/" class="hover:underline text-accent"> <p class="py-xs text-min-1 trim">Data Transparency Report</p> </a> </li> <li> <a href="/policies/domains-terms-of-service/" class="hover:underline text-accent"> <p class="py-xs text-min-1 trim">Fastmail Domain Terms of Service</p> </a> </li> <li> <a href="/policies/dpa/" class="hover:underline text-accent"> <p class="py-xs text-min-1 trim">Data Protection Agreement</p> </a> </li> <li> <a href="/policies/partnerstack-terms-of-service/" class="hover:underline text-accent"> <p class="py-xs text-min-1 trim">PartnerStack Terms of Service</p> </a> </li> </ul> </details> </li> <li> <details class="group/child"> <summary class="cursor-pointer flex gap-2xs items-center py-xs"> <p class="text-min-1 trim">Developers and integration partners</p> <svg xmlns="http://www.w3.org/2000/svg" class="group-open/child:rotate-180 size-icon-sm" stroke="currentColor" stroke-width="1.25" stroke-linecap="round" stroke-linejoin="round" fill="none" aria-hidden="true"> <use class="i-chevron" href="#i-chevron"></use> </svg> </summary> <ul class="pb-xs space-y-2xs"> <li> <a href="/policies/api-terms-of-service/" class="hover:underline text-accent"> <p class="py-xs text-min-1 trim">API Terms of Service</p> </a> </li> <li> <a href="/policies/api-developer-policy/" class="hover:underline text-accent"> <p class="py-xs text-min-1 trim">API Developer Policy</p> </a> </li> <li> <a href="/policies/bots/" class="hover:underline text-accent"> <p class="py-xs text-min-1 trim">Fastmail bots</p> </a> </li> </ul> </details> </li> <li> <details class="group/child"> <summary class="cursor-pointer flex gap-2xs items-center py-xs"> <p class="text-min-1 trim">Press, marketing and partners</p> <svg xmlns="http://www.w3.org/2000/svg" class="group-open/child:rotate-180 size-icon-sm" stroke="currentColor" stroke-width="1.25" stroke-linecap="round" stroke-linejoin="round" fill="none" aria-hidden="true"> <use class="i-chevron" href="#i-chevron"></use> </svg> </summary> <ul class="pb-xs space-y-2xs"> <li> <a href="/policies/brand-guidelines/" class="hover:underline text-accent"> <p class="py-xs text-min-1 trim">Brand Guidelines</p> </a> </li> </ul> </details> </li> <li> <details class="group/child" open> <summary class="cursor-pointer flex gap-2xs items-center py-xs"> <p class="text-min-1 trim">Responsible disclosure</p> <svg xmlns="http://www.w3.org/2000/svg" class="group-open/child:rotate-180 size-icon-sm" stroke="currentColor" stroke-width="1.25" stroke-linecap="round" stroke-linejoin="round" fill="none" aria-hidden="true"> <use class="i-chevron" href="#i-chevron"></use> </svg> </summary> <ul class="pb-xs space-y-2xs"> <li> <a href="/bug-bounty/" class="font-semibold hover:underline text-accent"> <p class="py-xs text-min-1 trim">Security Issue Reporting</p> </a> </li> </ul> </details> </li> </ul> </details> <div data-desktop-subnav class="lt-lg:hidden"> <a href="/policies/" class="hover:underline"> <p class="font-semibold pb-xs text-0 trim">Policies</p> </a> <ul class="divide-border-medium divide-y"> <li> <details class="group/child"> <summary class="cursor-pointer flex gap-2xs items-center py-xs"> <p class="text-min-1 trim">End user policies</p> <svg xmlns="http://www.w3.org/2000/svg" class="group-open/child:rotate-180 size-icon-sm" stroke="currentColor" stroke-width="1.25" stroke-linecap="round" stroke-linejoin="round" fill="none" aria-hidden="true"> <use class="i-chevron" href="#i-chevron"></use> </svg> </summary> <ul class="pb-xs space-y-2xs"> <li> <a href="/policies/terms-of-service/" class="hover:underline text-accent"> <p class="py-xs text-min-1 trim">Terms of Service</p> </a> </li> <li> <a href="/policies/privacy/" class="hover:underline text-accent"> <p class="py-xs text-min-1 trim">Privacy policy</p> </a> </li> <li> <a href="/policies/cookies-policy/" class="hover:underline text-accent"> <p class="py-xs text-min-1 trim">Cookies policy</p> </a> </li> <li> <a href="/policies/transparency-report/" class="hover:underline text-accent"> <p class="py-xs text-min-1 trim">Data Transparency Report</p> </a> </li> <li> <a href="/policies/domains-terms-of-service/" class="hover:underline text-accent"> <p class="py-xs text-min-1 trim">Fastmail Domain Terms of Service</p> </a> </li> <li> <a href="/policies/dpa/" class="hover:underline text-accent"> <p class="py-xs text-min-1 trim">Data Protection Agreement</p> </a> </li> <li> <a href="/policies/partnerstack-terms-of-service/" class="hover:underline text-accent"> <p class="py-xs text-min-1 trim">PartnerStack Terms of Service</p> </a> </li> </ul> </details> </li> <li> <details class="group/child"> <summary class="cursor-pointer flex gap-2xs items-center py-xs"> <p class="text-min-1 trim">Developers and integration partners</p> <svg xmlns="http://www.w3.org/2000/svg" class="group-open/child:rotate-180 size-icon-sm" stroke="currentColor" stroke-width="1.25" stroke-linecap="round" stroke-linejoin="round" fill="none" aria-hidden="true"> <use class="i-chevron" href="#i-chevron"></use> </svg> </summary> <ul class="pb-xs space-y-2xs"> <li> <a href="/policies/api-terms-of-service/" class="hover:underline text-accent"> <p class="py-xs text-min-1 trim">API Terms of Service</p> </a> </li> <li> <a href="/policies/api-developer-policy/" class="hover:underline text-accent"> <p class="py-xs text-min-1 trim">API Developer Policy</p> </a> </li> <li> <a href="/policies/bots/" class="hover:underline text-accent"> <p class="py-xs text-min-1 trim">Fastmail bots</p> </a> </li> </ul> </details> </li> <li> <details class="group/child"> <summary class="cursor-pointer flex gap-2xs items-center py-xs"> <p class="text-min-1 trim">Press, marketing and partners</p> <svg xmlns="http://www.w3.org/2000/svg" class="group-open/child:rotate-180 size-icon-sm" stroke="currentColor" stroke-width="1.25" stroke-linecap="round" stroke-linejoin="round" fill="none" aria-hidden="true"> <use class="i-chevron" href="#i-chevron"></use> </svg> </summary> <ul class="pb-xs space-y-2xs"> <li> <a href="/policies/brand-guidelines/" class="hover:underline text-accent"> <p class="py-xs text-min-1 trim">Brand Guidelines</p> </a> </li> </ul> </details> </li> <li> <details class="group/child" open> <summary class="cursor-pointer flex gap-2xs items-center py-xs"> <p class="text-min-1 trim">Responsible disclosure</p> <svg xmlns="http://www.w3.org/2000/svg" class="group-open/child:rotate-180 size-icon-sm" stroke="currentColor" stroke-width="1.25" stroke-linecap="round" stroke-linejoin="round" fill="none" aria-hidden="true"> <use class="i-chevron" href="#i-chevron"></use> </svg> </summary> <ul class="pb-xs space-y-2xs"> <li> <a href="/bug-bounty/" class="font-semibold hover:underline text-accent"> <p class="py-xs text-min-1 trim">Security Issue Reporting</p> </a> </li> </ul> </details> </li> </ul> </div> </nav> <article id="post" class="content font-sans lg:mr-auto lt-lg:mx-auto pb-5xl prose prose-grid pt-l-5xl"> <h1>Security Issue Reporting</h1> <h2 id="security-issue-reporting-guidelines" tabindex="-1">Security issue reporting guidelines</h2> <p>If you think you have found a security vulnerability in Fastmail, please report it to us straight away by emailing <a href="mailto:security@fastmailteam.com">security@fastmailteam.com</a>. Please include detailed steps to reproduce and a brief description of what the impact is. We encourage responsible disclosure (as described below), and we promise to investigate all legitimate reports in a timely manner and fix any issues as soon as we can.</p> <p>We do read all reports within 24 hours, but as all reports are reviewed and personally investigated by our senior staff, it may take up to 10 business days before you hear back from us.</p> <hr> <h2 id="responsible-disclosure-policy" tabindex="-1">Responsible disclosure policy</h2> <p>We ask that during your research you make every effort to maintain the integrity of our users’ data, avoiding violating privacy or degrading our service. You must give us reasonable time to fix any vulnerability you find before you make it public. In return we promise to investigate reports promptly and not to take any legal action against you.</p> <h2 id="bug-bounty" tabindex="-1">Bug bounty</h2> <p>Our bug bounty program is common to all products produced by Fastmail, and thus covers our <a href="https://www.topicbox.com/" target="_blank" rel="noopener">Topicbox</a> and <a href="https://www.pobox.com/" target="_blank" rel="noopener">Pobox</a> products in addition to our flagship Fastmail service.</p> <p>As a measure of our appreciation for security researchers, we are happy to give full credit in any public postmortem after the bug has been fixed, and we offer a <strong>monetary bounty</strong> for certain qualifying bugs. To qualify for the bounty, you must:</p> <ul> <li>Follow our responsible disclosure policy (see above).</li> <li>Report the bug to us first, and give us reasonable time to fix the issue before making it public.</li> <li>Be the first person to report the issue to us.</li> <li>Use a test account (a free trial account is fine), or an account that you control. Never interact with other accounts without the owner’s consent.</li> <li>Find a bug that could allow access to private user data, or enable access to a system running Fastmail infrastructure.</li> </ul> <p>Examples of valid vulnerability types include:</p> <ul> <li>Authentication or session management issues</li> <li>Cross-Site Scripting (XSS) (only on <code>www.fastmail.com</code> or <code>beta.fastmail.com</code>, <strong>not</strong> on <code>user.fm</code> or <code>fastmailusercontent.com</code>; see below)</li> <li>Cross-Site Request Forgery (CSRF/XSRF)</li> <li>Remote Code Execution</li> <li>Privilege Escalation</li> </ul> <p>The decision of whether a bug qualifies for a bounty is solely at the discretion of Fastmail. Any qualifying bug will be eligible for a bounty of a minimum of US$100 and a <strong>maximum of $5,000</strong>. The exact value will be determined by Fastmail after taking into account the severity of the vulnerability, the number of users potentially affected etc. All bounties will be paid via PayPal. Any taxes or fees are the sole liability of the recipient. We process bug bounty payments once a month.</p> <h2 id="specific-exclusions" tabindex="-1">Specific exclusions</h2> <p>People seem to report these regularly, so we’re putting them up front to make it clear we do <strong>not</strong> regard these as bugs</p> <ol> <li>Email spoofing bugs do not qualify. We are quite aware that users can set arbitrary From addresses on emails, that our SPF records allow arbitrary hosts to send email as our domains, and that our DMARC policy is not enforcing passes. These policy decisions are by design, and we track the actual sender in a separate header.</li> <li><a href="https://owasp.org/www-community/attacks/CSV_Injection" target="_blank" rel="noopener">CSV Excel Macro Injection</a> bugs via address book exporting do not qualify. The user has complete control over their address book. We regard convincing someone to add a particular address to their address book, export and download it as a CSV, open it in Excel, click through a warning dialog as exceedingly unlikely user interaction. If you can get them to do that, just get them to run cmd from the Start menu and paste some arbitrary command.</li> </ol> <h2 id="general-exclusions" tabindex="-1">General Exclusions</h2> <ol> <li>Denial of Service (DOS) and social engineering attacks do not qualify and must not be attempted against Fastmail or our users under any circumstances.</li> <li>Bugs that require exceedingly unlikely user interaction or are caused by insecurities in browser extensions do not qualify.</li> <li>Brute force log in attempts.</li> <li>The domains <code>user.fm</code> and <code>fastmailusercontent.com</code> are used to host potentially unsafe user content. By keeping this content in completely separate domains, we avoid any security issues with our core<code>fastmail.com</code>domain. As such, any Cross-Site Scripting (XSS) attacks on these sites are not of interest to us. Please note that if you go to a user web site such as <code>testuser.fastmail.com</code> it immediately redirects to <code>testuser.fastmail.com.user.fm</code> and is thus in the<code>user.fm</code>security domain, not the <code>fastmail.com</code> domain.</li> <li>Bugs on sites associated with Fastmail but not run by Fastmail do not qualify. This includes <a href="http://www.fastmailfbl.com/" target="_blank" rel="noopener">www.fastmailfbl.com</a>. We are grateful for any reports on issues with these sites, and we will pass on the bugs to the relevant company, however they do not qualify for a bounty.</li> <li>Anything related to enumeration of usernames does not qualify.</li> <li>Bugs related to unpatched, out of date or exceedingly rarely used browsers or other client software out of our control.</li> <li>We are public about the software we run. We are not interested in reports about “leakage” of the fact we run nginx, or the version number, or Perl module names or file paths.</li> </ol> <h2 id="hall-of-fame" tabindex="-1">Hall of fame</h2> <p>Our thanks to the following security researchers for their submissions:</p> <h3 id="2024" tabindex="-1">2024</h3> <table> <thead> <tr> <th>Researcher</th> <th>Vulnerability found</th> <th>Bounty paid</th> </tr> </thead> <tbody> <tr> <td>Amethama Luturmas</td> <td>Topicbox ACL bypass</td> <td>$100</td> </tr> </tbody> </table> <h3 id="2023" tabindex="-1">2023</h3> <table> <thead> <tr> <th>Researcher</th> <th>Vulnerability found</th> <th>Bounty paid</th> </tr> </thead> <tbody> <tr> <td>Mohammad Eldawody</td> <td>Fastmail 2FA vulnerability</td> <td>$3000</td> </tr> <tr> <td>Max Raams</td> <td>Email authentication weaknesses</td> <td>$250</td> </tr> </tbody> </table> <h3 id="2022" tabindex="-1">2022</h3> <table> <thead> <tr> <th>Researcher</th> <th>Vulnerability found</th> <th>Bounty paid</th> </tr> </thead> <tbody> <tr> <td>Vivek Kumar Yadav</td> <td>Topicbox app vulnerability</td> <td>$100</td> </tr> <tr> <td>Vivek Kumar Yadav</td> <td>Android app vulnerability</td> <td>$100</td> </tr> <tr> <td>Milan Jain</td> <td>CRLF injection vulnerability</td> <td>$250</td> </tr> <tr> <td>Ilkin Javadov</td> <td>Pobox password link expiry</td> <td>$100</td> </tr> <tr> <td>Huzaifa Muhammad</td> <td>Topicbox mobile app vulnerability</td> <td>$100</td> </tr> <tr> <td>Huzaifa Muhammad</td> <td>Anti-abuse bypass on mobile app</td> <td>$100</td> </tr> <tr> <td>Jonathan Page</td> <td>DKIM oversigning</td> <td>$200</td> </tr> </tbody> </table> <h3 id="2021" tabindex="-1">2021</h3> <table> <thead> <tr> <th>Researcher</th> <th>Vulnerability found</th> <th>Bounty paid</th> </tr> </thead> <tbody> <tr> <td>Dennis Trappe</td> <td>iOS app vulnerability</td> <td>$100</td> </tr> <tr> <td>Sheikh Rishad</td> <td>Android app vulnerability</td> <td>$100</td> </tr> <tr> <td>Jaikishan Tulswani</td> <td>Access vulnerability for third party service</td> <td>$250</td> </tr> <tr> <td>Mohammed Eldawody</td> <td>Bypass security screen in Topicbox</td> <td>$100</td> </tr> <tr> <td>Vicky Sahputra</td> <td>Deleted group vulnerability in Topicbox</td> <td>$100</td> </tr> <tr> <td>Markus Holtermann</td> <td>Fingerprint authentication vulnerability in Fastmail app</td> <td>$100</td> </tr> <tr> <td>N Krishna Chaitanya</td> <td>Password reset vulnerability in Pobox</td> <td>$100</td> </tr> <tr> <td>Pravas Ranjan Kanungo</td> <td>Image proxy vulnerability in Fastmail</td> <td>$100</td> </tr> <tr> <td>Mohammed Eldawody</td> <td>Password recovery bug in Pobox</td> <td>$3000</td> </tr> <tr> <td>Roman Zabaluev</td> <td>Caching of “don’t require 2FA again on this device” cookie validity</td> <td>$500</td> </tr> </tbody> </table> <h3 id="2020" tabindex="-1">2020</h3> <table> <thead> <tr> <th>Researcher</th> <th>Vulnerability found</th> <th>Bounty paid</th> </tr> </thead> <tbody> <tr> <td>Mohammed Eldawody</td> <td>Privilege escalation bugs in Topicbox</td> <td>$2000</td> </tr> <tr> <td>Mohammed Eldawody</td> <td>Bypass security screen in Topicbox</td> <td>$200</td> </tr> <tr> <td>Daniel Santos</td> <td>Mutation bypass in DOMPurify</td> <td>$100</td> </tr> <tr> <td>Michał Bentkowski (Securitum)</td> <td>CSS sanitisation bypass</td> <td>$750</td> </tr> <tr> <td>Michał Bentkowski (Securitum)</td> <td>DOMPurify mXSS (sponsored bug bounty; did not affect Fastmail products)</td> <td>$250</td> </tr> <tr> <td>Mohammed Eldawody</td> <td>Stored XSS in Pobox</td> <td>$200</td> </tr> <tr> <td>Mart Gil Robles</td> <td>Login CSRF in Pobox</td> <td>$100</td> </tr> <tr> <td>Basavaraj Banakar</td> <td>Self-XSS in Pobox</td> <td>$100</td> </tr> <tr> <td>Alexander Harkness</td> <td>Unnecessary information disclosed in DMARC report</td> <td>$100</td> </tr> <tr> <td>Jackson K V</td> <td>Login rate-limiting bypass in Pobox</td> <td>$200</td> </tr> <tr> <td>Sachin Hodkasia</td> <td>Login rate-limiting bypass in Pobox</td> <td>$200</td> </tr> <tr> <td>Sachin Hodkasia</td> <td>Password reset expiration issue in Pobox</td> <td>$100</td> </tr> <tr> <td>Syed Muhammad Asim</td> <td>Mixed content warnings in Pobox</td> <td>$100</td> </tr> </tbody> </table> <h3 id="2019" tabindex="-1">2019</h3> <table> <thead> <tr> <th>Researcher</th> <th>Vulnerability found</th> <th>Bounty paid</th> </tr> </thead> <tbody> <tr> <td>Ace Candelario</td> <td>HTML injection vulnerabilities in Pobox</td> <td>$100</td> </tr> <tr> <td>Hemant Singh Manral</td> <td>Limited reuse of expired recovery options</td> <td>$250</td> </tr> <tr> <td>Joran Dirk Greef (Ronomon)</td> <td>AppCache exploit to compromise attachment downloads</td> <td>$3500</td> </tr> <tr> <td>Michał Bentkowski (Securitum)</td> <td>DOMPurify mXSS (sponsored bug bounty; did not affect Fastmail products)</td> <td>$500</td> </tr> <tr> <td>Joran Dirk Greef (Ronomon)</td> <td>Bypasses to allowed attachment extensions</td> <td>$200</td> </tr> <tr> <td>Devansh Batham (Infoziant Labs)</td> <td>Deauthentication issue in Pobox</td> <td>$100</td> </tr> <tr> <td>Devansh Batham (Infoziant Labs)</td> <td>Password reset design issue in Pobox</td> <td>$100</td> </tr> <tr> <td>Brian Hyde</td> <td>HTML injection and email address injection vulnerabilities in Pobox</td> <td>$400</td> </tr> <tr> <td>Jaikishan Tulswani</td> <td>Session invalidation logic error in Pobox</td> <td>$100</td> </tr> <tr> <td>Aman Mahendra</td> <td>Race condition in 2FA login in Pobox</td> <td>$100</td> </tr> <tr> <td>Devansh Batham (Infoziant Labs)</td> <td>Miscellaneous CSRF vulnerabilities in Pobox</td> <td>$500</td> </tr> <tr> <td>Devansh Batham (Infoziant Labs)</td> <td>Request replay issue in Pobox</td> <td>$200</td> </tr> <tr> <td>Anonymous</td> <td>Incomplete access control restrictions on shared file storage within an account</td> <td>$1000</td> </tr> <tr> <td>Aakash Kumar</td> <td>Recovery code logic error in Pobox</td> <td>$100</td> </tr> </tbody> </table> <h3 id="2018" tabindex="-1">2018</h3> <table> <thead> <tr> <th>Researcher</th> <th>Vulnerability found</th> <th>Bounty paid</th> </tr> </thead> <tbody> <tr> <td>Devansh Batham (Infoziant Labs)</td> <td>Password reset logic error in Pobox</td> <td>$100</td> </tr> <tr> <td>Ahmed Elsobky</td> <td>Phishing protection bypass</td> <td>$100</td> </tr> <tr> <td>Tarun Mahour</td> <td>Self-XSS in Pobox</td> <td>$100</td> </tr> <tr> <td>Devansh Batham (Infoziant Labs)</td> <td>CSRF vulnerabilities in Listbox</td> <td>$200</td> </tr> <tr> <td>Anonymous</td> <td>Network misconfiguration</td> <td>$2000</td> </tr> <tr> <td>Nikola Kojic</td> <td>Image proxy bypass</td> <td>$100</td> </tr> <tr> <td>Jaikishan Tulswani</td> <td>Page invalidation logic error in Pobox</td> <td>$100</td> </tr> <tr> <td>Jaikishan Tulswani</td> <td>Private services discovered</td> <td>$100</td> </tr> <tr> <td>Jaikishan Tulswani</td> <td>Session invalidation logic error in Listbox</td> <td>$100</td> </tr> <tr> <td>Jaikishan Tulswani</td> <td>List name discovery in Listbox</td> <td>$100</td> </tr> <tr> <td>Aman Mahendra</td> <td>Self-XSS in Listbox</td> <td>$100</td> </tr> <tr> <td>Arsiadi Sriyanto</td> <td>CSRF Token Disclosure</td> <td>$100</td> </tr> <tr> <td>Aman Mahendra</td> <td>XSS in Listbox</td> <td>$200</td> </tr> <tr> <td>Jaikishan Tulswani</td> <td>Page invalidation logic error</td> <td>$100</td> </tr> <tr> <td>Jaikishan Tulswani</td> <td>DNS misconfiguration</td> <td>$200</td> </tr> <tr> <td>Jaikishan Tulswani</td> <td>Open redirect in Listbox</td> <td>$100</td> </tr> <tr> <td>Jaikishan Tulswani</td> <td>Access control bypasses in Listbox</td> <td>$700</td> </tr> <tr> <td>Jaikishan Tulswani</td> <td>Multiple XSS and CSRF vulnerabilties in Listbox</td> <td>$1000</td> </tr> <tr> <td>Aman Mahendra</td> <td>links to insecure HTTP URLs provided in Listbox</td> <td>$100</td> </tr> <tr> <td>Jaikishan Tulswani</td> <td>CSRF in Listbox</td> <td>$100</td> </tr> <tr> <td>Jaikishan Tulswani</td> <td>subscription limit bypass in Listbox</td> <td>$300</td> </tr> <tr> <td>Jaikishan Tulswani</td> <td>access control bypass in Listbox</td> <td>$100</td> </tr> <tr> <td>Ranjit Pahan</td> <td>stored XSS in Listbox</td> <td>$200</td> </tr> <tr> <td>Devansh Batham (Infoziant Labs)</td> <td>UI redressing attack on Listbox and Pobox</td> <td>$100</td> </tr> <tr> <td>Devansh Batham (Infoziant Labs)</td> <td>Multiple XSS and CSRF vulnerabilities in Listbox and Pobox</td> <td>$1200</td> </tr> <tr> <td>Brian Hyde</td> <td>Multiple XSS and CSRF vulnerabilities in Listbox and Pobox</td> <td>$1000</td> </tr> <tr> <td>Jaikishan Tulswani</td> <td>XSS in Listbox</td> <td>$200</td> </tr> <tr> <td>Bijan Murmu</td> <td>Lax password policy in Listbox</td> <td>$200</td> </tr> <tr> <td>Ranjit Pahan</td> <td><code>window.opener</code> phishing vulnerabilty with attachments</td> <td>$100</td> </tr> <tr> <td>Chachi</td> <td>Error in check preventing reuse of previous password</td> <td>$100</td> </tr> <tr> <td>Jaikishan Tulswani</td> <td>Session invalidation logic error</td> <td>$100</td> </tr> <tr> <td>Jaikishan Tulswani</td> <td>Referrer leakage from support ticket</td> <td>$100</td> </tr> <tr> <td>Alex Zorin</td> <td>Input truncation bypassing domain validation</td> <td>$100</td> </tr> </tbody> </table> <h3 id="2017" tabindex="-1">2017</h3> <table> <thead> <tr> <th>Researcher</th> <th>Vulnerability found</th> <th>Bounty paid</th> </tr> </thead> <tbody> <tr> <td>Max Justicz</td> <td>Write access to server files</td> <td>$4000</td> </tr> <tr> <td>Brian Hyde</td> <td>Read-only access to private server files</td> <td>$2000</td> </tr> <tr> <td>Arsiadi Sriyanto</td> <td>Read access to private file storage metadata</td> <td>$500</td> </tr> <tr> <td>Lucas Reddinger</td> <td>Missing “enabled” check for shared calendar link</td> <td>$500</td> </tr> <tr> <td>Bastian Welfrid Purba</td> <td>CSRF in support ticket creation</td> <td>$250</td> </tr> <tr> <td>Nikola Kojic</td> <td>Image proxy bypass</td> <td>$200</td> </tr> <tr> <td>Arsiadi Sriyanto</td> <td>XSS on DAV subdomains</td> <td>$200</td> </tr> <tr> <td>pnig0s</td> <td>Unexploitable SSRF</td> <td>$100</td> </tr> </tbody> </table> <h3 id="2016" tabindex="-1">2016</h3> <table> <thead> <tr> <th>Researcher</th> <th>Vulnerability found</th> <th>Bounty paid</th> </tr> </thead> <tbody> <tr> <td>Arsiadi Sriyanto</td> <td>Reflected XSS</td> <td>$1500</td> </tr> <tr> <td>Brian Hyde</td> <td>Server Side Request Forgery</td> <td>$1000</td> </tr> <tr> <td>Shiv Bihari Pandey</td> <td>Security settings unlock bypass</td> <td>$500</td> </tr> <tr> <td>John Cleary</td> <td>Incorrect CalDAV ACL check allowed access to list of unrelated users</td> <td>$500</td> </tr> <tr> <td>Richard Smith</td> <td>2FA bypass when importing a user into a business</td> <td>$300</td> </tr> <tr> <td>Shiv Bihari Pandey</td> <td>SMS verification bypass</td> <td>$250</td> </tr> <tr> <td>n00b 4lw4y5 7ry</td> <td>Open redirect</td> <td>$100</td> </tr> </tbody> </table> <h3 id="2015" tabindex="-1">2015</h3> <table> <thead> <tr> <th>Researcher</th> <th>Vulnerability found</th> <th>Bounty paid</th> </tr> </thead> <tbody> <tr> <td>Salman Niksefat</td> <td>XSS in email body (classic interface or old browsers only)</td> <td>$1500</td> </tr> <tr> <td>Bogdan Calin</td> <td>HTTP header injection</td> <td>$500</td> </tr> <tr> <td>James Kettle (PortSwigger Web Security)</td> <td>Login CSRF</td> <td>$100</td> </tr> <tr> <td>Hugh Davenport</td> <td>Deletion of contacts/events with restricted logins</td> <td>$100</td> </tr> <tr> <td>Hugh Davenport</td> <td><code>window.opener</code> phishing vulnerabilty in classic interface</td> <td>$100</td> </tr> </tbody> </table> <h3 id="2014" tabindex="-1">2014</h3> <table> <thead> <tr> <th>Researcher</th> <th>Vulnerability found</th> <th>Bounty paid</th> </tr> </thead> <tbody> <tr> <td>Sergey Markov</td> <td>Read-only access to private server files</td> <td>$2000</td> </tr> <tr> <td>Thomas Guittonneau</td> <td>Read-only access to private server files</td> <td>$2000</td> </tr> <tr> <td>Sergey Markov</td> <td>HTTP header injection</td> <td>$1000</td> </tr> <tr> <td>Frans Rosén</td> <td>XSS in email (classic interface only)</td> <td>$1000</td> </tr> <tr> <td>Prashant Sharma</td> <td>Stored XSS in our support ticket system</td> <td>$1000</td> </tr> <tr> <td>Hammad Shamsi</td> <td>Stored XSS in our support ticket system</td> <td>$1000</td> </tr> <tr> <td>Bastian Welfrid Purba</td> <td>Missing user privilege check for removing user websites</td> <td>$1000</td> </tr> <tr> <td>Bastian Welfrid Purba</td> <td>Missing user privilege check for fetching saved searches</td> <td>$250</td> </tr> <tr> <td>Satish Bommisetty</td> <td>Can trick user into making phone call in iOS app</td> <td>$200</td> </tr> <tr> <td>Bastian Welfrid Purba</td> <td>4 self-XSS issues (not exploitable)</td> <td>$400</td> </tr> <tr> <td>V. Harish Kumar</td> <td>2 self-XSS issues (not exploitable)</td> <td>$200</td> </tr> <tr> <td>Ranjeet Singh</td> <td>IMAP connections not immediately killed on password change</td> <td>$100</td> </tr> <tr> <td>Sasi Levi</td> <td>Self-XSS issue (not exploitable)</td> <td>$100</td> </tr> <tr> <td>Manikandan Rajakumar</td> <td>Self-XSS issue (not exploitable)</td> <td>$100</td> </tr> <tr> <td>Lyon Yang</td> <td>XSS in embedded image in email body (only classic interface, only IE6, only if remote images enabled)</td> <td>$100</td> </tr> <tr> <td>Jakub Zoczek</td> <td>HTTP header injection (only on redirect)</td> <td>$100</td> </tr> <tr> <td>Rakesh Mane</td> <td>Self-XSS issue (not exploitable)</td> <td>$100</td> </tr> <tr> <td>Sasi Levi</td> <td>CSRF on some business/family account admin actions</td> <td>$100</td> </tr> <tr> <td>Sasi Levi</td> <td>CSRF on some folder sharing actions</td> <td>$100</td> </tr> <tr> <td>Hammad Shamsi</td> <td>Open redirect in paypal handler</td> <td>$100</td> </tr> <tr> <td>Mike Cardwell</td> <td>Image proxying bypass on reply</td> <td>$100</td> </tr> <tr> <td>Anonymous</td> <td><code>window.opener</code> phishing vulnerabilty</td> <td>$100</td> </tr> </tbody> </table> </article> </main> <footer class="[--link-color:--brand-color-deepblue-5] [--link-hover:--brand-color-deepblue-5] bg-footer-bg text-fg-footer"> <div class="[background-image:--footer-sep-gradient] h-[4px] w-full"></div> <nav aria-labelledby="footer-navigation" class="flex flex-col gap-y-fx-14 py-fx-14 wrapper"> <h2 id="footer-navigation" class="sr-only">Footer navigation</h2> <div class="flex flex-wrap gap-y-fx-10"> <div class="basis-2/6 flex-grow min-w-[min(18rem,100%)] space-y-fx-4"> <div class="-mt-fx-2"> <svg xmlns="http://www.w3.org/2000/svg" class="size-[40px]" aria-hidden="true"> <use class="i-fm-icon-logo" href="#i-fm-icon-logo"></use> </svg> </div> <p class="font-semibold text-fx-lg trim">Email and calendar made better</p> </div> <div class="basis-4/6 flex flex-grow flex-wrap gap-fx-9"> <div class="basis-[11.25rem] flex-1 space-y-fx-4 text-fx-base"> <h3 class="font-semibold text-fx-lg trim">Product</h3> <ul> <li> <a href="/features/" class="inline-block link"> <p class="py-fx-4 text-fx-base trim">Product tour</p> </a> </li> <li> <a href="/business/" class="inline-block link"> <p class="py-fx-4 text-fx-base trim">For business</p> </a> </li> <li> <a href="/pricing/" class="inline-block link"> <p class="py-fx-4 text-fx-base trim">Pricing</p> </a> </li> <li> <a href="/features/security/" class="inline-block link"> <p class="py-fx-4 text-fx-base trim">Security</p> </a> </li> <li> <a href="/features/privacy/" class="inline-block link"> <p class="py-fx-4 text-fx-base trim">Privacy</p> </a> </li> </ul> </div> <div class="basis-[11.25rem] flex-1 space-y-fx-4 text-fx-base"> <h3 class="font-semibold text-fx-lg trim">How to</h3> <ul> <li> <a href="/how-to/move-from-gmail/" class="inline-block link"> <p class="py-fx-4 text-fx-base trim">Move from Gmail</p> </a> </li> <li> <a href="/how-to/move-from-outlook/" class="inline-block link"> <p class="py-fx-4 text-fx-base trim">Move from Outlook</p> </a> </li> <li> <a href="/how-to/move-from-yahoo/" class="inline-block link"> <p class="py-fx-4 text-fx-base trim">Move from Yahoo</p> </a> </li> <li> <a href="/how-to/move-from-proton/" class="inline-block link"> <p class="py-fx-4 text-fx-base trim">Move from Proton</p> </a> </li> <li> <a href="/how-to/move-from-hey/" class="inline-block link"> <p class="py-fx-4 text-fx-base trim">Move from HEY</p> </a> </li> <li> <a href="/how-to/email-for-your-domain/" class="inline-block link"> <p class="py-fx-4 text-fx-base trim">Get email for your domain</p> </a> </li> <li> <a href="/how-to/stop-spam/" class="inline-block link"> <p class="py-fx-4 text-fx-base trim">Stop spam</p> </a> </li> <li> <a href="/how-to/inbox-zero/" class="inline-block link"> <p class="py-fx-4 text-fx-base trim">Achieve inbox zero</p> </a> </li> </ul> </div> <div class="basis-[11.25rem] flex-1 space-y-fx-4 text-fx-base"> <h3 class="font-semibold text-fx-lg trim">Support & Resources</h3> <ul> <li> <a href="/blog/" class="inline-block link"> <p class="py-fx-4 text-fx-base trim">Blog</p> </a> </li> <li> <a href="/digitalcitizen/" class="inline-block link"> <p class="py-fx-4 text-fx-base trim">Podcast</p> </a> </li> <li> <a href="https://fastmail.help/" class="inline-block link"> <p class="py-fx-4 text-fx-base trim">Fastmail help center</p> </a> </li> <li> <a href="/support/" class="inline-block link"> <p class="py-fx-4 text-fx-base trim">Contact Fastmail support</p> </a> </li> <li> <a href="/dev/" class="inline-block link"> <p class="py-fx-4 text-fx-base trim">API Documentation</p> </a> </li> <li> <a href="/bug-bounty/" class="inline-block link"> <p class="py-fx-4 text-fx-base trim">Report a security issue</p> </a> </li> </ul> </div> <div class="basis-[11.25rem] flex-1 space-y-fx-4 text-fx-base"> <h3 class="font-semibold text-fx-lg trim">Company</h3> <ul> <li> <a href="/company/about/" class="inline-block link"> <p class="py-fx-4 text-fx-base trim">About us</p> </a> </li> <li> <a href="/company/values/" class="inline-block link"> <p class="py-fx-4 text-fx-base trim">Our values</p> </a> </li> <li> <a href="https://apply.workable.com/fastmail-1/" class="inline-block link"> <p class="py-fx-4 text-fx-base trim">Careers</p> </a> </li> <li> <a href="/company/open-source/" class="inline-block link"> <p class="py-fx-4 text-fx-base trim">Open source and standards</p> </a> </li> <li> <a href="/company/partners/" class="inline-block link"> <p class="py-fx-4 text-fx-base trim">Partner with us</p> </a> </li> <li> <a href="/policies/" class="inline-block link"> <p class="py-fx-4 text-fx-base trim">Policies</p> </a> </li> <li> <a href="/media-kit/" class="inline-block link"> <p class="py-fx-4 text-fx-base trim">Media kit</p> </a> </li> </ul> </div> </div> </div> <div class="border-footer-border border-t flex gap-fx-8 items-center justify-center le-[66rem]:flex-col pt-fx-8 text-fx-base"> <ul class="flex flex-grow flex-wrap gap-fx-4 le-[66rem]:justify-center"> <li>&copy; 2025 Fastmail Pty Ltd. All rights reserved.</li> <li> <a href="https://fastmailstatus.com/" class="link">System status</a> </li> <li> <a href="/policies/terms-of-service/" class="link">Terms of service</a> </li> <li> <a href="/policies/privacy/" class="link">Privacy policy</a> </li> </ul> <div class="flex flex-wrap gap-fx-8 items-center justify-center"> <ul class="flex flex-grow flex-wrap gap-fx-6 items-center le-[66rem]:justify-center"> <li> <a href="https://mastodon.social/@fastmail"><span class="sr-only">Mastodon</span> <svg xmlns="http://www.w3.org/2000/svg" class="size-icon" fill="none" aria-hidden="true"> <use class="i-mastodon" href="#i-mastodon"></use> </svg> </a> </li> <li> <a href="https://twitter.com/Fastmail"><span class="sr-only">X</span> <svg xmlns="http://www.w3.org/2000/svg" class="size-icon" fill="none" aria-hidden="true"> <use class="i-x" href="#i-x"></use> </svg> </a> </li> <li> <a href="https://www.linkedin.com/company/fastmail"><span class="sr-only">LinkedIn</span> <svg xmlns="http://www.w3.org/2000/svg" class="size-icon" fill="none" aria-hidden="true"> <use class="i-linkedin" href="#i-linkedin"></use> </svg> </a> </li> <li> <a href="https://www.facebook.com/Fastmail/"><span class="sr-only">Facebook</span> <svg xmlns="http://www.w3.org/2000/svg" class="size-icon" fill="none" aria-hidden="true"> <use class="i-facebook" href="#i-facebook"></use> </svg> </a> </li> </ul> <ul class="flex flex-grow flex-wrap gap-fx-8 items-center le-[66rem]:justify-center"> <li> <a href="https://play.google.com/store/apps/details?id=com.fastmail.app"> <img src="/assets/images/play-store-_nKvx1K1d--135.svg" alt="Google Play" loading="lazy" decoding="async" width="135" height="40"> </a> </li> <li> <a href="https://apps.apple.com/us/app/fastmail-email-calendar/id931370077"> <img src="/assets/images/app-store-ZOqpK4vo0n-120.svg" alt="App Store" loading="lazy" decoding="async" width="120" height="40"> </a> </li> </ul> </div> </div> </nav> </footer> </div> <svg id="icon-sprite-sheet" class="sr-only"> <defs> <g id="i-chevron"> <svg xmlns="http://www.w3.org/2000/svg" viewbox="0 0 24 24"> <polyline points="17.75 9.13 12 14.88 6.25 9.13"></polyline> </svg> </g> <g id="i-external-link"> <svg viewbox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"> <path d="M16.83 12.81V17.64C16.83 18.067 16.6604 18.4765 16.3584 18.7784C16.0565 19.0804 15.647 19.25 15.22 19.25H6.36C5.933 19.25 5.52349 19.0804 5.22156 18.7784C4.91962 18.4765 4.75 18.067 4.75 17.64V8.77998C4.75 8.35298 4.91962 7.94347 5.22156 7.64154C5.52349 7.33961 5.933 7.16998 6.36 7.16998H11.19"></path> <path d="M14.42 4.75H19.25V9.58"></path> <path d="M10.39 13.61L19.25 4.75"></path> </svg> </g> <g id="i-fm-icon-logo"> <svg viewbox="0 0 40 40" xmlns="http://www.w3.org/2000/svg"> <path d="M19.9998 19.9995L11.6665 14.2695V25.7279L16.8748 24.1645L19.9998 19.9995Z" fill="#FFC107"></path> <path d="M11.6665 25.7298H27.2915C27.8665 25.7298 28.3332 25.2632 28.3332 24.6882V14.2715L11.6665 25.7298Z" fill="#F4F5F7"></path> <path d="M32.8707 11.151C34.6034 13.6674 35.6234 16.7129 35.6234 20.0001C35.6234 28.6292 28.6271 35.6256 19.998 35.6256C14.6562 35.6256 9.94344 32.9401 7.12707 28.8492L4.37435 28.7492L3.52344 31.3274C7.13071 36.5638 13.1616 40.0001 19.9998 40.0001C31.0453 40.0001 39.9998 31.0456 39.9998 20.0001C39.9998 15.7929 38.6943 11.8947 36.4762 8.67285L33.7507 8.74921L32.8707 11.151Z" fill="#69B3E7"></path> <path d="M4.37455 20C4.37455 11.3709 11.3709 4.37455 20 4.37455C25.3418 4.37455 30.0545 7.06 32.8709 11.1509L36.4745 8.67273C32.8691 3.43636 26.8382 0 20 0C8.95455 0 0 8.95455 0 20C0 24.2073 1.30545 28.1055 3.52364 31.3273L7.12727 28.8491C5.39455 26.3327 4.37455 23.2873 4.37455 20Z" fill="#0067B9"></path> </svg> </g> <g id="i-mastodon"> <svg xmlns="http://www.w3.org/2000/svg" viewbox="0 0 20 20"> <mask id="mask0_714_15451" style="mask-type:luminance" maskunits="userSpaceOnUse" x="0" y="0" width="20" height="20"> <path d="M20 0H0V20H20V0Z" fill="white"></path> </mask> <g mask="url(#mask0_714_15451)"> <path fill-rule="evenodd" clip-rule="evenodd" d="M19.625 12C19.375 13.375 17 15 14.25 15.25C12.875 15.375 11.5 15.5 10 15.5C7.625 15.375 5.75 15 5.75 15V15.625C6 17.875 8.125 18 10 18C12 18.125 13.75 17.5 13.75 17.5L13.875 19.125C13.875 19.125 12.5 19.75 10.125 19.875C8.75 20 7.125 19.875 5.125 19.375C0.875 18.375 0.125 14.25 0 10V6.5C0 2.125 3 0.875 3 0.875C4.625 0.25 7.25 0 10 0C12.75 0 15.375 0.25 16.875 1C16.875 1 19.875 2.25 19.875 6.625C20 6.625 20 9.75 19.625 12ZM16.375 6.875V12.125H14.125V7C14.125 5.875 13.625 5.375 12.625 5.375C11.5 5.375 11 6 11 7.25V10H8.875V7.375C8.875 6.125 8.375 5.5 7.25 5.5C6.25 5.375 5.875 6 5.875 7V12.125H3.625V6.875C3.625 5.75 3.875 5 4.5 4.375C5.125 3.75 5.875 3.375 6.875 3.375C8 3.375 8.875 3.75 9.5 4.625L10 5.5L10.5 4.625C11.125 3.75 11.875 3.375 13.125 3.375C14.125 3.375 14.875 3.75 15.5 4.375C16.125 5 16.375 5.875 16.375 6.875Z" fill="#999EA3"></path> </g> </svg> </g> <g id="i-x"> <svg xmlns="http://www.w3.org/2000/svg" viewbox="0 0 24 24"> <path d="M13.676 10.622L20.233 3H18.679L12.986 9.618L8.43897 3H3.19397L10.07 13.007L3.19397 21H4.74797L10.76 14.011L15.562 21H20.807L13.676 10.622ZM11.548 13.096L10.851 12.099L5.30797 4.17H7.69497L12.169 10.569L12.866 11.566L18.681 19.884H16.294L11.548 13.096Z" fill="#999EA3"></path> </svg> </g> <g id="i-linkedin"> <svg xmlns="http://www.w3.org/2000/svg" viewbox="0 0 24 24"> <path fill-rule="evenodd" clip-rule="evenodd" d="M20.551 2H3.508C2.693 2 2 2.645 2 3.439V20.56C2 21.355 2.454 22 3.27 22H20.314C21.13 22 22.001 21.355 22.001 20.56V3.439C22.001 2.645 21.368 2 20.551 2ZM9.619 9.619H12.311V10.991H12.341C12.751 10.251 13.964 9.5 15.463 9.5C18.34 9.5 19.143 11.028 19.143 13.857V19.143H16.286V14.378C16.286 13.111 15.78 12 14.597 12C13.161 12 12.476 12.972 12.476 14.569V19.143H9.619V9.619ZM4.857 19.143H7.714V9.619H4.857V19.143ZM8.071 6.286C8.071 7.273 7.272 8.072 6.285 8.072C5.298 8.072 4.499 7.273 4.499 6.286C4.499 5.299 5.298 4.5 6.285 4.5C7.272 4.5 8.071 5.299 8.071 6.286Z" fill="#999EA3"></path> </svg> </g> <g id="i-facebook"> <svg xmlns="http://www.w3.org/2000/svg" viewbox="0 0 20 20"> <path d="M20 10C20 4.477 15.523 0 10 0C4.477 0 0 4.477 0 10C0 14.69 3.229 18.625 7.584 19.706V13.056H5.522V10H7.584V8.683C7.584 5.279 9.124 3.702 12.466 3.702C13.1 3.702 14.193 3.826 14.64 3.95V6.72C14.404 6.695 13.994 6.683 13.485 6.683C11.845 6.683 11.212 7.304 11.212 8.919V10H14.478L13.917 13.056H11.212V19.927C16.163 19.329 20 15.113 20 10Z" fill="#999EA3"></path> </svg> </g> </defs> </svg> </body></html>