Security Report — TempMail

Acknowledgement SLA

48h

Full response SLA

$5k

Max bounty payout

100%

Reports investigated

Submit a Report

Tell us what you found.

Severity Level

Vulnerability Category

Affected Component

Your Contact Email (optional — for bounty & updates)

Vulnerability Description

Steps to Reproduce

Potential Impact

I confirm this report is submitted in good faith and I agree to responsible disclosure — I will not publish or share details of this vulnerability until TempMail has had a reasonable opportunity to investigate and fix it.

Prefer PGP-encrypted email?

Send your report encrypted to security@tempmail.io using our public key.

Download PGP key 0x4F8A 2C3D 9E1B 7F62

Scope & Bounties

What's in scope.

In Scope

tempmail.io web application

api.tempmail.io — all endpoints

Browser extension (Chrome, Firefox, Edge)

iOS and Android mobile apps

SMTP relay infrastructure

Custom domain routing system

Out of Scope

Social engineering attacks

Attacks requiring physical device access

Denial of service / volumetric flooding

Issues in third-party services we use

Already-known or publicly disclosed CVEs

Bug Bounty

Payout tiers.

Critical$2,000 – $5,000

High$500 – $2,000

Medium$200 – $500

Low$50 – $200

InfoSwag / credit

Bounties are paid via bank transfer or cryptocurrency within 30 days of a confirmed, fixed vulnerability. Duplicate reports are not eligible.

Safe harbour: We will not pursue legal action against security researchers acting in good faith and following these guidelines.

Response Timeline

0–4 hours

Acknowledgement sent to reporter

4–48 hours

Full triage and severity assessment

48–7 days

Fix developed and reviewed

7–14 days

Patch deployed to production

After fix

Reporter credited in changelog

Security is everyone's responsibility.

We're grateful to every researcher who helps keep TempMail — and its 12 million users — safe.

View public audit reports

Report a security vulnerability.

Report received — thank you!

Security is everyone's responsibility.