Welcome to Posteo Security Transparency

„On this page we provide information about how security researchers, pen testers and developers can report bugs or vulnerabilities to Posteo.“

Posteo Security Transparency

Security contact information

You believe that you found a bug or a vulnerability?

Please send your finding well documented (including a proof of concept) to securityteam@posteo.de. We will have a look at it and investigate the impact and relevance. Encrypt your email with one of our public keys (S/MIME, PGP) and provide us with your public key for email encryption. Please report your findings compliant with the common responsible disclosure rules to protect user data and security, reports always start out as non-public submissions to our security team.

Disclosure Process

We handle reported bugs and vulnerabilities with a coordinated disclosure policy. We usually publish findings after the vulnerability has been fixed and further testing has been performed, though we reserve the right to define the extent of information which will be published. You may not publicly disclose the vulnerability.

Bug Bounty

Currently our program consists of paid regular security audits and pen-tests performed by top researchers. If you find a bug or a security vulnerability, you might be eligible for a reward. Our rewards are relevance-based according to the impact the finding could cause. After having investigated the reported vulnerability we will decide about a reward and, if applicable, offer it to you.


ID Date of disclosure Interface/Target Title Estimated potential Status Thanks to
20231024-001 24.10.2023 Mailing Lists Unintended local-part disclosure Low Fixed Oskar Hieronymus Hinz
20221213-001 13.12.2022 Web Calendar: Self-XSS via ICS Import Info Fixed Jan Preßler
20191206-001 06.12.2019 SMTP Problem in conjunction with mismatching TLSA record of recipient server in rare circumstances Low Fixed Daniel Stirnimann
20180914-001 14.09.2018 Web Two bypasses of remote content blocking Low Fixed Jens Müller
20171023-001 23.10.2017 Web Unintended behaviour of public key directory settings page High Fixed Jan Preßler
20170817-001 17.08.2017 Web Calendar: Lack of proper ACL in Switch Calendar Function High Fixed Cure53
20170816-007 16.08.2017 Web Redir/Phishing via HTTP X-Forwarded-Host Injection Low Fixed Cure53
20170816-006 16.08.2017 Web Persistent XSS in Mail Body via ICS Attachment Critical Fixed Cure53
20170816-005 16.08.2017 Web Calendar: Persistent XSS via ICS Import High Fixed Cure53
20170816-004 16.08.2017 Web UI redressing via CSS position property Medium Fixed Cure53
20170816-003 16.08.2017 Web HTTP Leak via encoded CSS Properties Low Fixed Cure53
20170816-002 16.08.2017 Web Persistent XSS via SVG attachments High Fixed Cure53
20170816-001 16.08.2017 Web Persistent XSS via malformed style attribute High Fixed Cure53
20170714-002 14.07.2017 Web Wrong formular handling in password settings page Low Fixed Sajibe Kanti
20170714-001 14.07.2017 Web 404 Error page returns erroneous URL Info Fixed Sajibe Kanti
20170621-001 21.06.2017 Web Notes: Abuse of API functionality High Fixed Cure53
20170619-001 19.06.2017 Web Calendar: Lack of proper ACL in View Event Function Critical Fixed Cure53
20170616-001 16.06.2017 Web Notes: Stored XSS via /notes-CSRF Critical Fixed Cure53
20170612-005 12.06.2017 Web Calendar: Persistent XSS via Rename function Info Fixed Cure53
20170612-004 12.06.2017 Web Stored XSS in autoreply settings Info Fixed Anonymous
20170612-003 12.06.2017 Web Stored XSS in calendar settings Info Fixed Anonymous
20170612-002 12.06.2017 Web Reflected self-XSS in password reset settings Info Fixed Anonymous
20170612-001 12.06.2017 Web URL enumeration in address books, when not user password enrypted Critical Fixed Anonymous
20170307-001 07.03.2017 Web Old PHPMyAdmin Version is exposed High Fixed Cure53
20170203-004 03.02.2017 Web Insecure DOM manipulation via location.hash Info Fixed Cure53
20170203-003 03.02.2017 Web MSIE11 DOM-based XSS via Referer header Medium Fixed Cure53
20170203-002 03.02.2017 Web Insecure auth_token allows for Leak on Safari Low Fixed Cure53
20170203-001 03.02.2017 Web DOMXSS via feedback_messages cookie Low Fixed Cure53
20170202-001 02.02.2017 Web Possible Phishing via logout CSRF and XSS High Fixed Cure53
20160515-001 15.05.2016 Web DOMXSS via URL Low Fixed Djoukhrab Djaber
20150409-014 09.04.2015 Crypto Mail Storage Lesefehler via Plaintext mit durch CHUNK_SIZE teilbarer Größe Low Fixed Cure53
20150409-013 09.04.2015 Crypto Mail Storage Größe des Ausgabepuffers wird nicht geprüft Medium Fixed Cure53
20150409-012 09.04.2015 Crypto Mail Storage Wiederverwendung des IV führt zu Keystream Reuse Critical Fixed Cure53
20150409-011 09.04.2015 Crypto Mail Storage scrambler_istream_read_decrypt_chunk ohne Längen-Check Low Fixed Cure53
20150409-010 09.04.2015 Crypto Mail Storage Heap Overflow in scrambler_read_line_fd Critical Fixed Cure53
20150409-009 09.04.2015 Crypto Mail Storage i_stream_try_alloc wird aufgerufen, ohne Ergebnis zu prüfen Low Fixed Cure53
20150409-008 09.04.2015 Crypto Mail Storage Fehlende Hardening-Flags beim Kompilieren Low Fixed Cure53
20150409-007 09.04.2015 Crypto Mail Storage HTTPS-Server erlaubt Verbindungen mit SSLv3 Low Fixed Cure53
20150409-006 09.04.2015 Crypto Mail Storage Lokale Speicherung großer Dateien beim Lesezugriff Critical Fixed Cure53
20150409-005 09.04.2015 Crypto Mail Storage Out-Of-Bounds-Write durch AES-Block-Alignment Low Fixed Cure53
20150409-004 09.04.2015 Crypto Mail Storage Memory Corruption durch unvollständigen Mail-Header Medium Fixed Cure53
20150409-003 09.04.2015 Crypto Mail Storage Schwache Benutzerrechte des Mailarchives Low Fixed Cure53
20150409-002 09.04.2015 Crypto Mail Storage Null Pointer Dereference bei falschem “package” Low Fixed Cure53
20150409-001 09.04.2015 Crypto Mail Storage Unsicheres doveadm Argument via scrambler_plain_password High Fixed Cure53
20141112-001 12.11.2014 Web Server Type/Information Disclosure Info Fixed Anonymous