If you've discovered a vulnerability in the MailChimp application, please don't share it publicly. Send any problems to us with the form below. We'll get back to you as soon as we can with a confirmation and a virtual hug—though we might fix the problem first.

SOC II Compliant
PCI DSS Certification

We're happy to provide our full SOC II Report. Just fill out the form to request an NDA, and once the NDA is signed and returned, we'll send you the report. Request Report

Submit a vulnerability report

Only original, previously unreported bugs will be qualified for credit. Bugs are limited to currently supported browser versions and must be reproducible. Please include the exact input data and the operation used. Please do not run automated scans with applications such as BurpSuite. If we see submissions from anyone we've found to scan the system, this will be considered a DDoS attack and will be marked invalid.

Only submit one issue per ticket.

The following will not qualify for the program:

  • Banner/version disclosure
  • Username enumeration
  • Issues found through use of automated tools must not be a simple copy/paste of the result (example: sending an ssllabs.com URL with the mailchimp.com domain.). A PoC and detailed description on how it can affect a user's data or The Rocket Science Group's data/infrastructure need to be included.
  • Previously reported bugs
  • Bugs that rely on impractical user action. (example: having a user type out an XSS payload into a particular field)
  • Issues that cannot be reproduced
  • DDoS attacks
  • CRIME/BEAST attacks
  • Social Engineering
  • Brute force password cracking
  • Bugs specific to unsupported browsers/plugins
  • Signup/Login/Logout cross-site request forgery
  • URL redirection
  • Attacks mitigated by HSTS (HTTP Strict Transport Security)
  • Pursuing vulnerabilities which send unsolicited bulk messages (spam) or unauthorized messages.
  • Please note, when researching for a vulnerability, only use accounts you own. Do not attempt to use another user's account. The Rocket Science Group reserves the right to turn down any report it finds invalid and revise or cancel the program at any time.

All research must not violate any law, or disrupt or compromise any data that is not your own.

Hall of Fame

We're so grateful to all the vigilant folks who have reported vulnerabilities. To the following people, thanks for doing your part to keep MailChimp and the entire email ecosystem safe!