To report a security issue, please email This will page an on-call security team member immediately.

If possible, use our PGP key. The fingerprint is 3216 3264 8943 CD5D ED85 C894 7065 2BA9 A317 F933.

There are some false positives that you might run into:

  • Attachments on intentionally host any filetype and gaining JavaScript execution (via an HTML file) is typically not problematic. No cookies are used on the domain, and we treat all content there as untrusted. However, if you do find XSS/CSRF or HTML injection that crosses over into *, we absolutely want to hear about it.
  • Apparent brute force attacks against our login endpoint are usually not meaningful as we use mitigation methods that are not visible to the majority of clients.
  • Minutiae about autocomplete, field masking, charsets, etc. is typically not useful.

Researcher Hall of Fame

Cupcake would like to thank these security researchers for reporting issues: