Security Research | IsaacStrock.com | Author: Isaac Strock

Bug Bounty Process:
AT&T & Mail.com

By Isaac Strock · Information Systems Student & Bug Hunter

A walkthrough of two different bug bounties. AT&T reported via HackerOne and Mail.com reported directly to their security email. Both valid and payable programs with different reporting and payment processes. Here is what each one requires and their differences.

AT&T via HackerOne Mail.com
Isaac Strock bug bounty process - AT&T via HackerOne and Mail.com comparison

Overview

Two Programs, Two Processes

AT&T runs a managed bug bounty program through HackerOne, meaning all communication, triage, and payment flows through the platform rather than directly with AT&T. Mail.com operates independently - you contact their security team by email and handle everything outside of any third-party platform.

Both programs pay real money for valid findings. The process to get there is just structured very differently.

AT&T - HackerOne

Platform-managed program. Reports submitted through a structured form on HackerOne. Triage handled by HackerOne staff, review and reward handled by AT&T.

Mail.com - Direct

Independent program. Reports submitted via email directly to Mail.com's security team. No platform, no triage middleman - just you and them.

Process A

Reporting via HackerOne - AT&T

HackerOne is a bug bounty platform that manages programs on behalf of companies like AT&T. When you submit a report, it goes to HackerOne's triage team first - not AT&T directly. They validate it, check for duplicates, and pass it along. AT&T then does their own internal review before any reward is issued.

Reporting Steps

  1. Create a HackerOne account if you don't have one, then find the AT&T program page and read the scope carefully before doing anything.
  2. Confirm your finding is in scope. AT&T's program lists what assets and vulnerability types are eligible - if it's out of scope it won't pay regardless of severity.
  3. Fill out the report form. You'll write a title, description of the vulnerability, and the steps to reproduce it. You self-select the weakness type (CWE) and can optionally select a severity rating, though HackerOne triage will assign the final CVSS score.
  4. Attach your proof of concept - screenshots, a screen recording, or both. A clear PoC that shows the full impact is the most important part of any report.
  5. Submit. HackerOne's triage team will reply, typically within a few days. They'll confirm whether it's a duplicate, clarify scope, or ask follow-up questions. They set the official severity at this stage.
  6. Wait for AT&T's internal review. This is usually one to two weeks, though minor bugs can take longer - one report took around five weeks to get a first reply.
  7. Once AT&T verifies the issue, the reward is issued the same day or very shortly after. You'll also receive a follow-up request to verify their patch once it's deployed.

Payment Process

Once your bounty is awarded, HackerOne handles the payout. You'll need to submit a W-9 form (US residents) or equivalent tax documentation. From there you select your preferred payout method - options include bank wire transfer, PayPal, Bitcoin, and others depending on your region. Payment typically clears shortly after the tax form is verified.

Disclosure

Public disclosure is not allowed until AT&T closes the report and grants permission. HackerOne enforces this. You can request disclosure after the issue is resolved but it's ultimately AT&T's call on timing.

Response time varies more than you'd expect. A critical finding might get triaged within 24 hours while a low-severity report can sit for weeks. Don't expect a consistent timeline - just be patient and follow up politely if it's been more than two weeks with no movement.

Process B

Reporting Directly - Mail.com

Mail.com (and their related service GMX.com, which appears to get more activity) runs its own bug bounty program without using a third-party platform. You email their security team directly with your findings. The same process applies to both Mail.com and GMX.com since they operate under the same parent company.

Reporting Steps

  1. Find Mail.com's security disclosure email address. It's listed on their bug bounty or responsible disclosure page. GMX.com has the same program - either can be used depending on where the vulnerability is.
  2. Review their scope and eligibility requirements before writing anything. Like HackerOne programs, out-of-scope findings won't be paid.
  3. Write your report as an email. There's no form to fill out, so structure it yourself - include a clear title, description of the issue, reproduction steps, and impact. Match the level of detail you'd put into a HackerOne report.
  4. Attach your proof of concept. Same expectation as any other program - screenshots and/or a recording showing the full vulnerability and its impact.
  5. Send the email and wait. Mail.com typically replies within a few days confirming receipt and whether the issue is in scope for payment.
  6. If the finding is valid and in scope, they'll follow up asking for your payment details for a bank transfer, and will ask if you want to be listed in their Hall of Fame.

Payment Process

Mail.com pays via international bank wire transfer. There's no platform intermediary handling the transaction - they send it directly. Because of this, the payout takes longer than HackerOne due to international wire processing times. The process itself is simple but plan for it to take longer than a domestic transfer.

Disclosure

Mail.com handles disclosure on a case-by-case basis through direct email communication. There's no formal platform policy - it's an agreement between you and their security team. Hall of Fame listings are offered as an optional form of public acknowledgment separate from payment.

The GMX.com program appears to have more active researchers and slightly more documented history than Mail.com's, but both programs follow the same process and are run by the same team.

Comparison

Key Differences

Both programs are legitimate and pay for valid findings. The main difference is structure - one gives you a platform and a process, the other puts all the work on you.

HackerOne - AT&T

Structured form-based reporting with a built-in triage layer. HackerOne handles communication, severity scoring, and payment logistics. More overhead but also more process clarity and researcher protections.

Higher competition. AT&T is a large, well-known program with a lot of active hunters, so duplicate reports are common.

Mail.com - Direct

Email-based, no platform. You write your own report format and communicate directly with their security team. Less overhead, but also fewer guarantees and slower international payment.

Lower competition. Independent programs like Mail.com tend to have fewer active researchers, which can make valid findings easier to come by.

Takeaways

Overall

HackerOne is the easier starting point for reporting and getting paid, but the competition on big programs like AT&T is real. If you find something, there's a decent chance someone already reported it. Smaller direct programs like Mail.com or GMX have fewer eyes on them, so valid findings are more likely to still be open.

The payment process on HackerOne is faster and more structured. Mail.com pays but the international wire adds time. Neither is a dealbreaker, just worth knowing going in.

Tags:HackerOneAT&TMail.comGMX.comBug BountyResponsible DisclosureSecurity ResearchIsaac Strock
Back to About