Forward Email's security audit by Cure53 is live!

It is promising that they published this but damn those were some serious vulnerabilities. Also think this is important: > The limited timeframe of FWD-01, however, did not make it possible for Cure53 to cover as much of the ecosystem as desired. > > In particular, the mail stack and the internal services received only cursory attention relative to the web and API. For this reason, Cure53 strongly recommends continued retesting of the in-scope components in future engagements, as these are needed to maintain and extend the existing security posture observed during this initial May 2026 inspection. For me personally it would not be mature enough. The fact they got this done is super positive don’t get me wrong, but the findings in the limited timeframe would leave me thinking more security improving and testing is needed. It would be fair to say these vulnerabilities are not uncommon at big providers either. But larger companies have dedicated security teams to make sure these things are solved quickly, rather than priotizing speed to market and fixing things after pentest.