⚠️ MailClark will be shutdown on Dec 31st, 2022

Read the announcement and FAQ

Security Vulnerability Disclosure Program

Program description

  • This program is intended to protect the privacy and security of the users of our application.
  • This scope of this program is limited to security flaw in our infrastructure or application.
  • To report a vulnerability, please email us at support@mailclark.ai (our team will triage to the Incident Repsonse Team accordingly).
  • When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.
  • Please allow us up to 7 days for confirmation of the reported issue.

Guidelines and conditions

  • Your testing must not violate any law.
  • Do not DDoS or otherwise disrupt, interrupt or degrade our services.
  • Please use your own account for testing or research purposes.
  • Do not attempt to gain access or information that does not belong to you, beyond the minimum necessary to demonstrate the vulnerability.
  • Do not permanently modify or delete hosted data.

We encourage the disclosure of the following eligible vulnerabilities:

  • Information Disclosure
  • Cross-site scripting
  • Cross-site request forgery in a privileged context
  • Server-side code execution
  • Authentication or authorization flaws
  • Injection Vulnerabilities
  • Significant Security Misconfiguration

Out of scope and exclusions:

  • Missing http security headers.
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.
  • Social engineering (such as phishing emails to our staff).


  • This program is not a bug bounty program, and does not provide monetary rewards for submissions.
  • Rewards will be awarded at MailClark's sole discretion, and only if the discovery is reported in compliance with this policy.
  • Rewards may include: public acknowledgement (listing at the bottom of this page), coupon codes, and exceptionally monetary compensation.


  • If you have any questions about our vulnerability disclosure policy, please email support@mailclark.ai

Public acknowledgement

  • Pratik Khalane on January 4th, 2020: leak of front controller source code
  • Foysal Ahmed Fahim on June 1st, 2022: reuse of landing.mailclark.ai domain via AgileCRM