Isaac Strock / IsaacStrock.com / Mail.com / AT&T / 2026

Bug Bounty Process

A walkthrough of two different bug bounties: AT&T reported through HackerOne and Mail.com reported directly to a security email. Both are valid, payable programs, but the reporting flow, disclosure rules, and payment process feel very different.

Overview

Two Programs, Two Workflows

The main difference is structure. AT&T on HackerOne feels more formal because the platform gives you fields, status updates, triage, and payout tooling. Mail.com is more personal and lightweight, but it also means the report has to be organized well from the start.

AT&T via HackerOne

Platform-based reporting with triage, duplicate checks, severity review, disclosure controls, and HackerOne payout setup.

Mail.com Direct

Email-based reporting where you write the format, attach evidence, coordinate with the security team, and receive payment by bank transfer.

Process A

Reporting AT&T Through HackerOne

AT&T is the more structured process. HackerOne asks for a title, description, reproduction steps, weakness type, impact, and proof of concept. Triage may adjust severity, ask for more evidence, or mark a report as duplicate.

  1. 01Create or log in to HackerOne, find the AT&T program, and read the scope before testing.
  2. 02Confirm the affected asset and vulnerability type are eligible. Out-of-scope issues will not pay regardless of severity.
  3. 03Fill out the report with a clear title, vulnerability description, reproduction steps, impact, and weakness type.
  4. 04Attach proof of concept material such as screenshots or a short screen recording that shows the full issue.
  5. 05Submit the report and respond to HackerOne triage if they need clarification, severity details, or duplicate checks.
  6. 06Wait for AT&T internal review, then verify the fix if they ask after remediation.
The proof of concept matters most. A clean screenshot or recording that shows impact can make triage faster and reduce back-and-forth.

Process B

Reporting Mail.com Directly

Mail.com, and the related GMX.com program, use direct communication instead of a third-party platform. There is no preset report form, so the email needs to be clear enough to stand on its own.

  1. 01Find the Mail.com or GMX.com responsible disclosure address and review the program requirements.
  2. 02Write the report yourself as an email with the same structure you would use on a platform.
  3. 03Include a title, affected URL or account flow, steps to reproduce, impact, and proof of concept attachments.
  4. 04Send the email, wait for the security team to confirm receipt, and answer any follow-up questions.
  5. 05If the finding is valid and in scope, provide payment details for bank transfer and decide whether to be listed publicly.
Direct programs can have less competition, but they also give you fewer built-in status updates. A patient, well-structured follow-up helps.

Payment

How Payment Differs

HackerOne handles the AT&T payout after tax and payment details are set up in the platform. Mail.com pays directly, usually through an international bank wire, so it can take longer even when the finding is accepted quickly.

Disclosure

Public Disclosure

AT&T disclosure is controlled through HackerOne and generally requires permission after the report is resolved. Mail.com handles disclosure by email, and Hall of Fame recognition is separate from payment.

Takeaway

Overall

HackerOne is easier to start with because the platform gives you a process. Direct programs like Mail.com can be more open-ended, but they reward clear writing and careful documentation. Both require patience, scope discipline, and proof that the issue is real.

Back to IsaacStrock.com