Banger Mail welcomes good-faith security research. If you believe you have found a vulnerability in Banger Mail, email security@muchbetterapps.com. Include the affected host or application, reproduction steps, expected impact, and any logs or screenshots that help us understand the issue. We do not publish a PGP key for v1; please avoid sending unnecessary secrets, personal data, or mailbox content.
How to report
Send one report per issue when possible. Give us enough detail to reproduce the behavior safely, and tell us whether you believe the issue is being actively exploited. Please stop testing once you have enough proof to demonstrate the vulnerability.
Scope
In scope: bangermail.com, cloud.bangermail.com, the Banger desktop app, and the banger-worker backend services that support Banger Mail. Reports involving authentication, OAuth, mail routing, mailbox data protection, permission boundaries, or exposed sensitive data are especially useful.
Out of scope
Out of scope: denial-of-service or high-volume automated testing, social engineering, physical attacks, password-reuse account takeover, and vulnerabilities that exist only in third-party services not operated by MuchBetterApps. Do not spam, phish, credential-stuff, persist access, exfiltrate data, or view data beyond what is necessary to prove the issue.
Acknowledgement SLA
We will acknowledge in-scope reports within 3 business days and may ask for additional detail while we investigate. We will prioritize reports based on likely user impact, exploitability, and whether the issue appears to affect mailbox data or account access.
Safe harbor
We consider good-faith research within this policy authorized. If you stay within scope, avoid privacy harm and service disruption, promptly report accidental access, and do not retain or share data, we will not pursue legal action for that research.
Coordinated disclosure
Our coordinated-disclosure default is 90 days after acknowledgement unless we mutually agree otherwise or active exploitation requires faster action. This is not a paid bug-bounty program.