Bug Bounties

SMTP2GO BBP

Powered by: 

Allows bounty splitting: 

Average time to first program response: 4

Average time to bounty awarded null: 

Average time to report resolved: 

Handle smtp2go

Managed program: true

Name: SMTP2GO BBP

Offers bounties: true

Offers swag: false

Response efficiency percentage: 100

Submission state: open

Url: https://hackerone.com/smtp2go

Website: http://smtp2go.com

In scope:

  • Asset identifier: api.smtp2go.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Most of the endpoints are handled by Flask on Python3 with Postgres as a main database. Newer endpoints use Go on Gin framework. Redis is mostly used for cache and ratelimitting. Instructions and documentations can be found here: https://apidoc.smtp2go.com/documentation/
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: app.smtp2go.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Flask based app running on Python 2.7, some pages are VueJS but most are scripted with custom JQuery. Create a free account in order to gain login access.
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: smtp2go.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Standard Wordpress site hosted with WPEngine, scripting is all custom JQuery based.
  • Integrity requirements: 
  • Max severity: critical