Security Policy
Hack us if you can.
This is a free, open-source software built for the community.
We believe we have built strong security controls, but let's be real: everything is considered secure until someone hacks it for the first time.
We actively encourage security research and testing on this tool. Besides thanking you immensely for your efforts, you are completely free to evaluate the security through your own tests and exploits.
Open-Source Infrastructure
To make your life easier, our entire architecture is open-source and can be inspected at the Haltman.IO GitHub. Here is the breakdown of our core components:
- Front-end
The UI you are currently reading.
https://github.com/haltman-io/mail-forwarding-ui - Back-end API
The API consumed by this UI.
https://github.com/haltman-io/mail-forwarding-api - Back-end Core
The core email routing engine.
https://github.com/haltman-io/mail-forwarding-core - Back-end DNS Checker
Allows users to add domains to the mail forwarder interactively.
https://github.com/haltman-io/mail-forwarding-dns-checker - Back-end DKIM Sync
Identifies new domains in the database and adds them to the opendkim table for signing.
https://github.com/haltman-io/mail-forwarding-dkim-sync - Back-end UI SaaS
Caddy configuration with on-demand TLS and a custom NodeJS + ExpressJS API for the ASK endpoint. Enables users to replicate the Front-end UI by pointing a CNAME to
https://github.com/haltman-io/mail-forwarding-ui-saasforward.haltman.io(endpoint returns HTTP 200 OK after DNS validation, triggering Caddy to emit an on-demand TLS certificate). - Browser Extension (Mozilla Firefox)
Mozilla Firefox add-on.
https://addons.mozilla.org/en-US/firefox/addon/email-alias-manager/[Source]: https://github.com/haltman-io/mail-forwarding-addon-mozilla-firefox
Bug Bounty & Reporting
Vulnerabilities must be reported via email. Please send your report to both security@haltman.io and members@proton.thc.org. Sending to either one is fine (we sync up internally), but copying both ensures the fastest response time.
We appreciate clarity. Please provide a detailed step-by-step reproduction path and attach actionable evidence (PoC). You can use the following template to speed up the triage process:
[TITLE] Type of vulnerability (e.g. RCE, xss, sqli) in [Component Name] --- VULNERABILITY DETAILS --- Type: (E.g. Stored XSS, Authentication Bypass, etc) Impact: (What does an attacker gain access to?) Component/URL: (E.g. /api/v1/auth or mail-forwarding-api) --- STEPS TO REPRODUCE --- 1. Execute the following cURL request... 2. Observe the payload being triggered at... 3. ... --- EVIDENCE / POC --- (Attach logs, screenshots, terminal outputs, or a script) --- RESEARCHER ALIAS --- (How you want to be listed in our Hall of Fame)
Confirmed vulnerabilities will be generously rewarded, and your alias will be immortalized in our Hall of Fame! We strongly value hackers who communicate responsibly.
Contact & Support
If you have questions, feel free to ask via email. However, we hang out and reply much faster on Telegram: