If you've discovered a vulnerability in MailChimp, please don't share it publicly. Send any problems to us using the form below. We'll get back to you as soon as we can with a confirmation and a virtual hug—though we might fix the problem first.
We're so grateful to all the vigilant folks who have reported vulnerabilities. To the following people, thanks for doing your part to keep MailChimp and the entire email ecosystem safe!
Jack "fin1te" W.
Ali Hasan Ghauri
Ajay Singh Negi
Harsha Vardhan Boppana
Bastian Welfrid Purba
Jamal Eddine El Hadjeui
Yaroslav Olejnik, O.J.A.
Rakesh singh_V.harish kumar
J Muhammed Gazzaly
Osanda Malith Jayathissa
Submit a vulnerability report
When submitting a vulnerability, please let us know if you'd like to be publicly acknowledged on this page. Please read about the program details.
Reports for any Rocket Science Group-owned site that may contain sensitive data are welcome, this includes the following sites:
Only original, previously unreported bugs will be qualified for credit. Bugs are limited to currently supported browser versions and must be reproducible. Please include the exact input data and the operation used.
Examples of bugs that have potential to compromise data from the Rocket Science Group or any of its users' data and would qualify for the program:
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF/XSRF)
- Broken Authentication (including Facebook OAuth bugs)
- Circumvention of our Platform/Privacy permission models
- Remote Code Execution
- Privilege escalation from any non-admin role
- Provisioning Errors
The following will not qualify for the program:
- DDOS attacks
- Social Engineering
- Brute force password cracking
- Issues that cannot be reproduced
- Issues found through use of automated tools must not be a simple copy/paste of the result. A PoC and detailed description on how it can affect a user's data or The Rocket Science Group's data/infrastructure need to be included
- Username enumeration
- Previously reported bugs
- Bugs specific to unsupported browsers/plugins
- Bugs that rely on impractical user action. (example: having a user type out an XSS payload into a particular field)
Please note, when researching for a vulnerability, only use your account. Do not attempt to use another user's account. The Rocket Science Group reserves the right to turn down any report it finds invalid and revise or cancel the program at any time.
All research must not violate any law, or disrupt or compromise any data that is not your own.