Disposable mail Responsible Disclosure Program | Disposable mail Blog – 10 minute mail

As of today, researchers can report security issues in Disposable mail services to earn a spot on our Hall of Fame as well as some cool prizes. The Disposable mail team has participated in most Responsible Disclosure programs out there and we felt the time is here to have one of our own.

But our service is made for finding web vulnerabilities, how come we need a Disclosure program? Well. Even though our services are based around finding security bugs in web applications, we are not as naive as to think that our own applications are 100% flawless. We take security issues seriously and will respond swiftly to fix verifiable security issues. If you are the first to report a verifiable security issue, we’ll thank you with some cool stuff and a place at our hall of fame page.

How does the reporting process work?

It’s a 5 step process:

  • A researcher sends a mail using the correct template to [email protected]
  • The researcher will get an automatic response confirming that we have acquired the issue
  • A support case is automatically created
  • The person assigned to the support case responds to the researcher, verifying the issue
  • The issue is patched and the researcher is showered in eternal

What bugs are eligible?

Any typical web security bugs such as:

  • Cross-site Scripting
  • Open redirect
  • Cross-site request forgery
  • File inclusion
  • Authentication bypass
  • Server-side code execution

What bugs are NOT eligible?

Any typical low impact/too high complexity such as:

  • Missing Cookie flags on non-session cookies or 3rd party cookies
  • Logout CSRF
  • Social engineering
  • Denial of service

So what are you waiting for?

Sign up for Disposable mail here.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Guest blog: Karim Rahal on a Spotify playlist hack – 10 minute mail

This video demonstrates a cross site request forgery web vulnerability and a privilege escalation vulnerability in the official Spotify online service web-application. The vulnerability doesn’t require any user interaction for the exploitation of the privilege escalation which makes it near critical.

I came across the restore feature inside Spotify’s web application. The first thing that interested me was to find out how the feature really restored “deleted” playlists, so I went forward and captured the request with a proxy interrupting tool.

The Post content was as follows: playlist=spotify/user/(user)/playlist/(playlist)/

There was something interesting in the post content, the request was specifying the exact directory of the playlist.

I tried to change the specified directory from /user/karimmtv/ into /user/spotifydiscover and ran the request. The page then said “message”:”restored”.

I was shocked, but I was still doubting that anything actually happened, so I opened the Spotify launcher, and looking at my list of “playlists” I noticed a new un-named playlist. When trying to open it though, it would endlessly load.

I was about to give up, until I noticed how to glitch the renaming system in Spotify. Through double-left-clicking on the playlist 2 times, It allowed me to set a name for the “exploited” playlist. After setting a name to that playlist, the endless loading stopped and I could see a proper playlist, and It was by the user “spotifydiscover”.

I was astonished as I hadn’t actually planned on trying to exploit anything inside that restore feature but that moment of hope revealed an extremely critical vulnerability!

Follow up

When contacting Spotify they were first shocked by the revelation, but also very appreciative. They fixed the vulnerability within a week or so.

At the end of the day, everything is coded and developed by humans, and humans are not perfect, so there are always mistakes for security researchers like me to find and inform the vendor about. Mistakes that translate into vulnerabilities can lead to huge losses.

Remember, security comes first before functionality.
//Karim Rahal

The advisory of the vulnerability was first published on Vulnerability Lab back in September

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Guide to Responsible Disclosure and Bug Bounty – 10 minute mail

Responsible disclosure is the foundation of ethical hacking. When Disposable mail employees give talks about what we have learned from hacking well-known companies like Google and Slack, people get confused. Is hacking even legal? What do the companies say when you hack them? Are you going to get sued for going public with a vulnerability you found on Facebook? It all boils down to a policy called Responsible Disclosure, and a monetary reward system called Bug Bounty. We have gathered 10 frequently asked questions about responsible disclosure and bug bounties and explain how it all works.

What does Responsible Disclosure mean?

The concept is exactly what the name suggests; it is a responsible way of disclosing vulnerabilities. When a company implements a Responsible Disclosure Policy, it means that they allow freelance ethical hackers to find and report vulnerabilities to them. It’s a way of saying “It’s okay for you to hack us and report the vulnerabilities that you find on our website. We will not press charges or call the police when we receive your report, but we appreciate your efforts and will act on your findings as long as you do your research in a responsible and ethical way.”

Responsible disclosure guide

What is the difference between Responsible Disclosure and Bug Bounty?

Responsible Disclosure opens the door for ethical hackers to find and report vulnerabilities to you. Bug Bounty, on the other hand, means offering monetary compensation to the ethical hackers who find vulnerabilities. The monetary reward is often based on the severity of the vulnerability, i.e. a typical “Game Over”-vulnerability like Remote Code Execution often pays more than a “simpler” vulnerability.

“How much do you have to pay if you have a Bug Bounty program?” might be your next question. Again, there are no standards to follow here, but a good idea is to go through existing ones for inspiration and benchmarks. A recommendation may be to rate the different types of vulnerabilities and pay the most for the most critical ones. A more experienced and skilled researcher will strategically go for the Bug Bounty programs that pays more, and the budget expectations increases depending on the size of the company. A security researcher will not have the same payout expectations on a local online store compared to large brands like Airbnb or Uber.

How do you set up an Responsible disclosure policy?

1) Before launching a Responsible Disclosure policy, you should first discuss the initiative internally, so that everyone involved is aware of what it means and how it will affect them. Secondly, you need to decide which sites are in scope, i.e. what you would like security researchers to investigate. For example, you might host content on a third-party provider, which means that you can’t get access to their source code and fix the vulnerabilities yourself, you can only ask the researcher to get in touch with them. Or you might have support pages or blogs that should be out of scope, since consequences would be limited even if they were compromised. Determine what is in scope, how the vulnerabilities should be reported, who handles the reports, and what the response process should look like.

2) Set up a page called Responsible Disclosure/Report Vulnerabilities or similar. Describe which pages are in scope,, what types of vulnerabilities can be reported and how researchers should report them.

Here’s a couple of examples of how a Responsible Disclosure page could look:

Tesla responsible disclosure page

Tesla’s responsible disclosure page

Disposable mail's responsible disclosure page

Disposable mail’s responsible disclosure page

3) Set up an easy way for security researchers to contact the right person at your company. You can use [email protected], but remember to decide who will get the emails, so that they do not fall between the cracks, or get forwarded to employees that shouldn’t  get their hands on potentially very sensitive information. (more about this under “Common mistakes”).

4) Decide if you’re going to hand out a so-called “bounty” as a token of appreciation. You can, for example, reward the ethical hacker with money or a t-shirt with a handwritten thank you note. Hackers also appreciate updates on the status of their vulnerability report.

Frans Rosén at Säkerhetsdagen

Photo: Martin Fältström
Disposable mail’s Frans Rosen says that he has never gotten as many t-shirts as when he started with ethical hacking. It’s a common misconception that most ethical hackers are only driven by money – recognition and appreciation are two other important drivers.

What companies use Responsible Disclosure?

Google, PayPal, and other US-based tech companies were early to implement and utilize Responsible Disclosure and Bug Bounty programs. Today, however, the trend has spread and more and more different types of companies open up the possibility of getting help from ethical hacker community.

In Sweden, where Disposable mail is based, several Scandinavian banks such as DanskeBank, Swedbank and Avanza have recently set up Responsible Disclosure policies.

Swedbank's responsible disclosure page

Swedbank’s responsible disclosure page

Many mistake Responsible Disclosure and Bug Bounty for something that only benefits the private sector, but even governmental agencies like the US Army, the US Airforce, and the Pentagon (!) have opened up limited-time bug bounty programs together with platforms like HackerOne. Several Disposable mail security researchers were invited to exclusive hacking trips organised by governmental agencies, which shows that the security mindset shift is not limited to the private sector. The main reason for this is that bug bounty programs pay off. When 1410 ethical hackers were invited to hack the Pentagon, the first bug was reported after only 13 minutes.

Frans Rosén at Hack the Air Force

Mathias Karlsson, one of Disposable mail’s founders, along with Frans Rosén, Disposable mail Security Advisor,  at Hack the Air Force in New York (Photo by HackerOne)

Who does Responsible disclosure and Bug bounty programs attract?

Ethical hackers, white-hat hackers, security researchers or good hackers. That is, people with an interest for security that want help companies and/or earn money legally.

The opposite of white-hat hackers are black-hat hackers who look for vulnerabilities in order to blackmail companies, access corporate secrets, or steal sensitive customer data such as credit card information.

What are the risks associated with Responsible Disclosure?

Unsurprisingly, this is a question we hear very often when we talk about ethical hacking. The thought of opening the door and allowing hackers to find security issues can sound intimidating.

Our recommendation is to use legal advisers to map out any legal risks specific to your case, but here are some important points that might help:

1) Responsible disclosure is all about proving that there is a vulnerability on your site – not exploiting it. The standard guideline is to stop digging immediately after obtaining a “proof of concept”. The ethical hacker should never, ever use the vulnerability to harm the company for their own gain. Remember to formulate your guidelines as explicitly as you can on your Responsible Disclosure page. If a hacker were to ignore the guidelines, this could lead to legal consequences.

Of course, there have been incidents that could be placed in a grey zone, but such situations are usually the result of unclear policies. One well-known example is the One Million Bug incident a few years ago where a security researcher, according to Facebook, went too far in his frustration when Instagram acted too slowly on the bug he had reported.

2) A Responsible disclosure policy should also state that the security researcher should not publicly disclose a vulnerability before it is fixed. If a security flaw is disclosed before it is patched, other hackers could learn about it and use it for malicious purposes.

3) Keep in mind that every skilled security researcher is pretty confident that a black-hat hacker, if they have put their mind to it, will be able to access your systems. By aligning yourself with the security community that is able to keep up with the latest hacker knowledge and attack methods, you can get help and expertise that you cannot find anywhere else.

4) A problem that you might run into, is people reporting vulnerabilities that are not really an issue or are found on websites that are out of scope, and claiming a bounty for it (this is sometimes referred to as a “beg bounty”). Make sure to set up a proper Responsible disclosure page, and refer them to that information.

5) As a developer, it is almost impossible to keep up with all the latest security bugs manually. If Google, Facebook and PayPal are unable to do it, why would your department succeed? Using external help in the form of crowdsourced and automated security or Resp disclosure is a must in a world where technology and black-hat hacker methods are ever-changing.

What is a Security Hall of Fame?

Ethical hackers are often driven by recognition. A Security Hall of Fame is a great way to reward ethical hackers who report vulnerabilities to you, and it also works as a nice motivator for other ethical hackers to surpass the currently listed ones. It is a good option for companies that do not wish to reward security researchers with money.

Setting up a Security Hall of Fame is simple. You simply list the hackers who reported the most serious vulnerabilities to you with their name, social media handle and image.

Spotify Hall of Fame

Check out Spotify’s Hall of Fame, where Disposable mail’s Frans Rosén is listed!

Will the ethical hacker automatically be allowed to go public with the vulnerability as soon as it is patched by the affected company?

No, not necessarily. We usually encourage information sharing as the community’s development depends on researchers sharing knowledge and detailed write-ups. If your patched vulnerability is the subject of a security write-up, this does not mean your brand is not trustworthy. It shows that your company encourages transparency, values security, and can participate in the discussion in a forward-thinking way.

When it comes to disclosure, it is up to you to decide how to set it up. Many companies do not allow the researcher to write about the finding at all, but you can also choose so-called full disclosure or partial disclosure, where not all the technical details are outed.

Slack coverage by The Register

Slack’s quick response to a vulnerability report was praised in the media. This article from The Register is just one example. 

As mentioned above, security flaws do not have to lead to negative PR. An awesome example is when Disposable mail’s Frans Rosén hacked internal messaging tool Slack in 2017, and discovered a method that could give him access to all internal communication. Slack’s CISO responded to his report immediately and within 5 hours on a Friday night (!) the bug was patched. When we, with Slack’s permission, wrote about the event and the media picked up the news, the articles were extremely positive, and Slack were praised for their transparency and quick response time.

Why would an ethical hacker report a vulnerability even if they don’t get paid?

Disposable mail is founded by a group of top ranked white-hat hackers who have reported hundreds, if not thousands, of vulnerabilities, spent hours finding a way to contact the person in charge, and made countless follow-ups to ensure vulnerability is fixed. We asked them the following question: “What drives you to keep doing this, even if you are not paid for it?”

I’m striving for perfection, says Fredrik, 27, Disposable mail founder and an ethical hacker who is listed on countless Security Halls of Fame and has been named Security Expert of the Future by Symantec. I want systems to be perfect, when I use a system or visit an application, I want it to work flawlessly. When it does not, I want to help, I want to get the technology on the internet to work without bugs.

Just like a painter will notice that a badly painted hall, or a designer will notice things they would have done differently in an ad, an IT security-minded person will notice errors or vulnerabilities in your system – whether or not they want to. It’s just there in front of us, and it makes no sense to shut the door when you can allow us to help you, says our security researcher Linus, 18, who started his career by hacking Google legally through Responsible Disclosure at the age of 14. He claims that Google’s positive response and bug bounty program have contributed enormously to developing his security interests.

Hear more from the 100+ ethical hackers Disposable mail works with through our Crowdsource platform, and learn what drives and motivates them.

Common mistakes companies make when implementing Responsible Disclosure?

Keep in mind that the security community is busy, both internationally and locally, and rumors about companies that make mistakes spread rapidly. A very common mistake is that no one responds to the reports even though the company has a responsible disclosure page. Another mistake companies make is to neglect fixing the vulnerabilities reported by researchers. From the perspective of an ethical hacker, this makes a company less attractive and the hacker is unlikely to look for vulnerabilities on their site again. If you implement a responsible disclosure policy, it is important to do it properly and prove that you take security seriously.

How does Disposable mail work with this?

1) Our own Responsible disclosure and Security Hall of Fame
Even though we are founded by ethical hackers who have found critical vulnerabilities in most known tech brands, we are well aware that internal competence is not enough. We have our own responsible disclosure program and Security Hall of Fame and encourage you to report any vulnerabilities, flaws and bugs you come across on our website.

2) We are from the white-hat hacker community
Our story started in the white-hat hacker community and we still work closely with ethical hackers to keep our scanner up to date.

3) Our tool is powered by 100+ ethical hackers
The handpicked security researchers in our platform constantly report their latest findings to us, making sure Disposable mail covers more programming languages and technologies than ever before. Here’s a 1,5-minute video explaining how we work with the world’s best white-hat hackers.

Disposable mail is a web security scanner that performs fully automated tests to identify security issues on websites. Our global network Disposable mail Crowdsource allows us to work side by side with the white-hat hacker community.  When researchers submit newly discovered exploits, we incorporate them into Disposable mail’s automated security service. Every time a reported issue is found on any of our customer’s websites, the researcher is rewarded. Are you interested in joining? Drop us an email: crowdsource [at] detectify.com and we’ll tell you more. 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Inside the mind of a black-hat hacker – 10 minute mail

What does a black-hat hacker look like? The word probably conjures up a picture of a hoodie-wearing computer genius hacking away in a dark room. While dramatic, this image does not say much about hackers’ methods and motives. To change that and help you improve our security, we explain how black-hat hackers think and how understanding them can guide your security strategy.

Inside the mind of a black-hat hacker

When we attend security events, we always get plenty of questions about black-hat hackers. “How do hackers approach potential targets?” “Do they only attack large companies?” “Why would they want to hack me?” Although hackers are by no means a homogenous group, understanding how they approach targets is crucial. Knowing how black-hat hackers work can help you improve your security and make it harder for malicious attackers to breach your site.

No target is too small for a black-hat hacker

Political cyber attacks that make the headlines give the impression that hackers like to focus on governments and large corporations. Targeted attacks are, in fact, extremely rare, but the attention they receive can lull smaller organisations into a false sense of security.

Black-hat hackers use automation to increase their chances of success and seldom spend time looking for a specific organisation to target. Rather than industry or company size, the common denominator in attacks is usually a vulnerability that affects a large number of websites.

A popular black-hat hacker strategy is checking security patch notes for different technologies. Patch notes contain details about vulnerabilities that have been remediated in the latest update. Hackers know that many users update their platforms and services sporadically and could still be vulnerable. Once they have selected a suitable vulnerability in a popular technology, the attacker can write a script that scans the web for affected sites and exploits the vulnerability.

What you can do: Adopt a proactive approach to security. Keep all third party services up-to-date, remove the ones you are not using, and monitor your site’s security on a regular basis.

What is secure today could be vulnerable tomorrow

Security changes every day and nothing can ever be 100% secure. Vulnerabilities are often discovered in technologies that have been in use for many years and might seem stable and secure.

It is not unusual for security issues to go unnoticed for a long time, like a recently discovered vulnerability in the Linux kernel that was first patched after 11 years. Black-hat hackers know this and are always on the hunt for new vulnerabilities. Even if an ethical security researcher discovers an issue first, malicious hackers will eventually find out about it and try to exploit it in systems that haven’t been updated.

Don’t let this discourage you from working with security! There is a growing movement of white-hat hackers, ethical security researchers who work hard to discover and report vulnerabilities responsibly. These talented ethical hackers help companies stay one step ahead of black hats. You can always ask the white hat community for help by implementing a responsible disclosure policy and utilising crowdsourced security.

Disposable mail Crowdsource white hats

The global white-hat community can help you secure your site

What you can do: Consider implementing a responsible disclosure policy to stay on top of the latest threats.  

Skill is not a requirement

The image of the black-hat hacker genius is one of the most common misconceptions about black hats. While complex exploit chains can’t be designed by just anyone, many types of attacks require neither a high level of skill nor an advanced knowledge of coding. Combining a simple attack with automation is something a bored high schooler could easily do in an afternoon.

The recent increase in the number of cryptominers installed on governmental and media websites is partly due to the fact that anyone can do it. All an attacker needs is an understanding of S3 bucket misconfigurations, something they can easily learn by reading articles online. Similarly, anyone with a taste for chaos and enough money to buy a botnet can carry out a DDoS attack. Linus Särud, Disposable mail security researcher, explains how easy it is to DDoS a website: “All you need for a DDoS attack is Google and a few dollars.”

What you can do: Learn about different types of vulnerabilities to gain a better understanding of what it takes to exploit them.

Simple vulnerabilities are a way in

Black-hat hackers like to target simple, seemingly harmless vulnerabilities. Developers often dismiss low severity vulnerabilities that have the potential to open the doors for chain.

Using automation to find minor vulnerabilities on a large number of sites gives attackers a starting point for manual work. Seemingly innocent flaws like exposed admin panels, login/logout CSRF, or a Server-side request forgery all help hackers find a way in to your system.

This does not mean that black hats never look for rare and critical vulnerabilities. However, it is important to be aware of the fact that the average black-hat hacker targets minor vulnerabilities that can be part of a chain attack.

What you can do: Make sure low severity vulnerabilities (low and notice severity in Disposable mail reports) don’t end up at the bottom of your backlog. Critical issues should always be prioritised, but it is important to tackle minor flaws as well.

Social engineering and hacking go hand in hand

While it’s easy to imagine a black-hat hacker as a hoodie-clad loner coding away in a dark room, this is seldom the case. Black hats are often skilled in the art of social engineering – in other words, fraud. Social engineering includes everything from persuading victims to visit a website with a malicious payload (common practice in XSS and CSRF exploits) to gaining access to a company’s office and hacking on-site.

In 2010, the Apache foundation infrastructure was attacked by hackers who used social engineering to gain access to employees’ passwords. The attackers logged password change requests and sent out password reset emails. As a result, Apache employees changed their passwords, unknowingly handing them over to the attackers. Although it was just one part of a complex attack, social engineering offered the hackers a shortcut and made it much easier for them to gain full root access to the machine they were targeting.

What you can do: Read up on phishing, educate your team, and be vigilant. Don’t forget about service desk staff – they have access to many different systems, and make an attractive target.

Money is not always the motivation

Although financial gains and even organised crime are often the reason behind malicious hackers’ activities, this is not always the case. Some black hats see hacking as a challenge while others simply do it for the thrill of exploiting security flaws.

Disposable mail security researcher Linus Särud explains: “Some people just want to see the world burn. Black-hat hackers don’t always need a reason to hack a website. Sometimes they just want to play around and see what they can get away with.” This is why it is important to secure your site even if you are confident that you have nothing worth stealing.

What you can do: Implement security measures on your entire website, not just pages that process payment information and sensitive personal data.

What does it all mean?

The only prerequisite for becoming a target is simply having a website, which puts all businesses with an online presence at risk. Luckily, threat awareness and a proactive approach to security can go a long way in keeping your site secure. The community of white-hat hackers is growing and companies are no longer alone in their fight against black hats.

While black-hat hackers are not going to stop trying to hack, it is definitely possible to make their attempts less successful. The future of web security looks bright and if you’ve read this article, you’re taking security seriously and are on the right track!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

3 ways white-hat hackers can help you protect your website – 10 minute mail

White-hat hackers are experts at discovering vulnerabilities and they want to help you improve your security. You may never be able to hire them for a full-time position, but they can play a key role in protecting your web application. Here are three ways to leverage their knowledge and keep your website safe.

 1. Responsible disclosure

Most companies first approach the security community by implementing a responsible disclosure policy. Responsible disclosure allows security researchers to look for vulnerabilities and report them to the vendor without running the risk of legal action. Having a responsible disclosure in place signals that an organisation is open to vulnerability reports from white-hat hackers.

Responsible disclosure infographic

Responsible disclosure (Click to enlarge)

Tech giants in Silicon Valley were the first to implement responsible disclosure despite having security teams of their own. This shows that everyone, regardless of organisation size and the level of internal security knowledge, can benefit from asking white-hat hackers for help.

Getting started

Before you go ahead and implement a responsible disclosure policy, make sure you have the resources and a process to follow up on vulnerability reports. Receiving your first report can be stressful, but establishing a routine for evaluating reports and fixing vulnerabilities will help you keep your security work structured. If you’d like to get started with responsible disclosure, can take a look at our Guide to Responsible Disclosure that answers some commonly asked questions.

2. Bug bounty

If responsible disclosure is the first step towards bringing businesses and white-hat hackers closer together, bug bounty is what comes next. Bug bounties are essentially responsible disclosure programs that reward white-hat hackers for reporting vulnerabilities. The rewards can be anything from t-shirts and stickers to payouts adding up to thousands of dollars.

Bug bounty

Bug bounty (Click to enlarge)

Bug bounties often receive considerable attention in the media, especially when large monetary rewards are involved. You may have heard of companies like Google paying out immense sums to white hats who reported critical vulnerabilities to them. Back in 2014, our security researchers discovered a vulnerability that gave them read access to Google’s production servers, which resulted in a $10,000 bug bounty. However, this is by no means the biggest bug bounty payout of all times!

Getting started

The majority of companies do not run bug bounty programs on their own, but partner with a dedicated platform like HackerOne or BugCrowd. Using a platform makes it easier for the organisation to structure their bug bounty program and get access to white-hat hackers who can help them find vulnerabilities.

3. Automated bug bounty – Disposable mail Crowdsource

With responsible disclosure and bug bounty programs, companies can only remediate one vulnerability at a time. Turning to the security community is a step in the right direction, but what if white-hat knowledge could scale? This is a question we are aiming to answer with our crowdsourced security platform Disposable mail Crowdsource.

Disposable mail Crowdsource is an invite-only ethical hacking platform that combines bug bounties with automation. Skilled white-hat hackers discover vulnerabilities in widely used technologies and  submit their findings to Crowdsource. All submissions are reviewed by Disposable mail’s security team and those that are accepted are built into the Disposable mail scanner. This way, every submission is turned into a security test that runs on our customers’ websites.

Disposable mail Crowdsource

Disposable mail Crowdsource (Click to enlarge)

Instead of only securing a single web application, one vulnerability report can secure thousands! Everytime the security test identifies a vulnerability, the white-hat hacker that submitted the finding gets a payout.

White-hat hackers who submit their findings to Disposable mail Crowdsource can also participate in traditional bug bounty programs as we don’t require exclusivity. As long as the discovered vulnerability can be automated, we’re interested in it!

Getting started

If you use Disposable mail to monitor your security, you are already benefiting from what Crowdsource has to offer. Every time you scan your web application with Disposable mail, your scan includes crowdsourced security tests. All findings that were discovered using a module from Crowdsource are tagged with the “Crowdsource” tag.

If you are not using Disposable mail yet, you can give it a try by signing up for our free trial that gives you access to all Disposable mail security tests, including those sourced from Crowdsource.

All findings sourced from Disposable mail Crowdsource are tagged with the “Crowdsource tag”

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.