Security

Last updated: April 2026

MultiMail welcomes good-faith vulnerability reports that help protect agent email infrastructure, operators, and email recipients. Please report suspected security issues to [email protected].

Reporting channel

Send reports to [email protected]. Include a concise description, affected URLs or endpoints, reproduction steps, observed impact, and any logs or screenshots that help us validate the issue. Please avoid including third-party personal data unless it is necessary to demonstrate the vulnerability.

Response SLA and disclosure

We aim to acknowledge valid vulnerability reports within 5 business days. We target remediation or a clear status update within 90 days before public disclosure, unless active exploitation, legal obligations, or user safety require a different timeline. We will keep reporters informed as we triage and remediate.

Safe harbor

We will not pursue legal action against researchers who make a good-faith effort to comply with this policy, avoid privacy violations, avoid service disruption, and promptly report vulnerabilities. Research must be limited to what is necessary to confirm a vulnerability and must not involve data destruction, persistence, extortion, social engineering, spam, phishing, or access to unrelated accounts.

In scope

MultiMail production API endpoints under api.multimail.dev
MultiMail MCP endpoint under mcp.multimail.dev
MultiMail website and published documentation under multimail.dev
Authentication, authorization, tenant isolation, email delivery controls, and data retention behavior
Vulnerabilities that could expose email content, metadata, API keys, billing state, audit logs, or account controls

Out of scope

Denial-of-service testing, load testing, or resource exhaustion
Social engineering, phishing, spam, or physical attacks
Vulnerabilities in third-party providers unless they directly affect MultiMail's configuration or integration
Reports that require malware, destructive payloads, or unauthorized persistence
Scanner output without a practical exploit path or demonstrated security impact
Issues affecting only unsupported browsers, user-managed DNS, or user-managed email client configuration

Acknowledgments

We may recognize researchers who submit valid, previously unknown vulnerabilities and follow this policy. Acknowledgment is optional and will be published only with the reporter's consent.

Contact

Security reports: [email protected]
Legal and privacy requests: [email protected]

Ghst Particle, LLC
Montana, United States