PSMail Security Advisories

PSMail follows coordinated vulnerability disclosure (CVD) process to work with security researchers who are willing to responsibly disclose vulnerability information to our security office.

PSMail does NOT participate in a Bug Bounty program. We don’t offer any bug bounty as money or financial rewards, but work in good faith to resolve security issues reported to privately.  Security researchers are also welcome to coordinate vulnerability through CERT, where researchers can get public recognition for their work.

Below are the latest security advisories that were disclosed responsibly and resolved by PSMail security operations:  

October 20 2020: Thanks to independent security researcher Ronak Nahar for coordinated disclosure of HTTP server information leak that can be used to collect reconnaissance information by potential attackers.

October 10 2020: Thanks to Saurabh Sanmane  for pursuing coordinated disclosure of Denial of Service of HTTP component via slowhttp dubbed “Slow Loris”

March 12 2018: Apache Lucene engine susceptible to remote code execution CVE-2017-12629 reported by Michael Stepankin (JPMorgan Chase) and Olga Barinova (Gotham Digital Science)

January 15 2016: Security assessment revealed potential leakage of user information via Cross-Site Scripting (XSS) of a logged in user in portal in custom built web-component, has been fixed on this date.

February 12 2015: VPN service can be affected by remote attackers to cause a denial of service via an anomalous traffic condition. CVE-2014-8952

October 12 2010: Thanks to security feedback provided by a PSMail user on potential vulnerability in user profile being copied to another user.

October 7, 2004: Thanks to PSMail customer and group administrator Bob for disclosing security vulnerability in authentication bypass for collecting user information of non-group users.