If you discover a security vulnerability in the TabMail Thunderbird add-on, please report it privately. Do not open a public issue.

Email security@tabmail.ai with:

• A description of the vulnerability and its impact
• Steps to reproduce (proof-of-concept if possible)
• The affected add-on version (see manifest.json → version)

We aim to acknowledge reports within 72 hours and to provide a remediation timeline after triage.

This repository covers the Thunderbird add-on only. The native full-text-search host, the iOS client, and the backend service have their own repositories / contact points; vulnerabilities in those should be reported to the same address with the affected component named.

Note that the add-on authenticates to and exchanges data with the TabMail backend over HTTPS. Issues in the hosted backend service should also be reported to security@tabmail.ai.

We follow coordinated disclosure. Please give us a reasonable window to ship a fix before any public disclosure. There is no paid bug-bounty program at this time; we are grateful for responsible reports and will credit reporters who wish to be acknowledged.