* feat; update bug-bounty * fix: reduce alarms further
8.0 KiB
Puter Bug Bounty Program
We at Puter are committed to maintaining a secure experience for our users and community. We greatly value the contributions of security researchers and welcome responsible disclosure of security issues.
Scope
The following are in scope for this program:
- The Puter open-source project (available at github.com/HeyPuter/puter)
puter.comapi.puter.com
Out-of-scope:
- Third-party services, applications, or libraries not maintained by Puter.
- Social engineering attacks (e.g., phishing against staff).
- Denial of Service (DoS), spam, or volumetric attacks.
- Physical security issues.
Known Non-Issues (Please Check Before Submitting)
The following have already been reviewed and determined not to be vulnerabilities. Reports that only re-describe one of these are not eligible for a reward and will be closed as non-issues — even if they include new code references. Please review this list before submitting:
- XSS / CORS / token issues scoped to
api.puter.com. The primary user session cookie lives onputer.com, not on the API origin, so reflected/stored XSS, CORS, or token handling onapi.puter.comis generally out of scope. Two exceptions we do evaluate on their merits — please report these: (a) attacker-controlled content served inline (e.g. an HTMLContent-Type) from API file/response endpoints, and (b) anything that abuses the app-scopedputer_token_v2companion cookie set on the API host. - SSRF via
secureFetch. Production routes outbound requests through an isolated proxy that has no access to internal/SSRF-sensitive resources. - Attacks that depend on guessing an
appInstanceIDor app UID. These are random 128-bit secret values and are not considered guessable. - Apps invoking drivers, creating workers, or using KV. Applications are intended to do this; worker permissions are scoped to the owning app. This is by design.
- App metadata or app user-count "leaks". This information is currently public by design.
- General "token in a URL" / token-lifetime designs — signed directory URLs exposing children, a write signature implying read, or app tokens outliving a web session. These are current intended behaviors.
- Missing PKCE, unverified
id_tokensignatures, or other OIDC hardening. Provider tokens are obtained through a server-to-server authorization-code exchange with the provider's token endpoint over TLS, so the resultingid_token/ userinfo claims are trusted from that channel rather than from local JWKS signature verification — the callback never accepts a caller-suppliedid_token. Adding local signature /aud/iss/expchecks is welcome defense-in-depth (please open a GitHub issue/PR), but their absence is not an account-takeover vector on its own. - JWT "algorithm confusion" / unpinned
algorithmsinjwt.verify. Puter's session tokens are HMAC-signed (HS256) with a server-side secret, and there is no asymmetric public key anywhere in the verification path, soalg-substitution attacks do not apply. Explicitly pinningalgorithmsis a fine hardening PR, but it is not a vulnerability. - Static-source "SQL injection" in internal pagination. Findings such as
LIMIT ${limit}in list/notification queries: the limit is numerically coerced and clamped before it reaches the query, so it is not reachable with attacker-controlled string input. Hardening PRs to the internal stores are welcome, but these are not exploitable as reported. - Deprecated
saveTo*GUI app messages. The legacysaveToDesktop/saveToDocuments/ etc. app-IPC handlers can create — never overwrite — new files in standard user folders. The behavior is non-destructive, path-traversal-safe, and deprecated (slated for removal); it is not treated as a sandbox escape. - Best-practice suggestions such as login/registration username enumeration (kept intentionally for UX) or unauthenticated unsubscribe links (industry norm).
- Rate-limiting suggestions for TURN credential issuance (intentional; not billed per tunnel).
If you believe you have a genuinely new exploit chain that defeats one of these rationales (for example, demonstrating a sensitive credential that really is reachable on api.puter.com), say so explicitly and show why the reasoning above does not apply.
Rules of Engagement
To participate, you must:
- Report responsibly: Provide detailed steps to reproduce the issue, including proof-of-concept code, screenshots, or a screen recording (see Proof of Reproduction below).
- Do no harm: Do not exfiltrate, modify, or delete data. Only access your own account or test data.
- Respect availability: Do not perform denial-of-service attacks or automated scans that degrade service.
- Follow disclosure policy: Do not publicly disclose vulnerabilities until we have confirmed and patched the issue.
- Act in good faith: Make every effort to avoid privacy violations, destruction of data, and interruption or degradation of services.
- Check the Known Non-Issues list: Reports matching an item in the "Known Non-Issues" section above are not eligible and will be closed.
Reports that do not meet these guidelines may not be eligible for a reward.
Proof of Reproduction
Reports must demonstrate a working, reproducible exploit with real impact — not a theoretical or static-source-review finding. Please include:
- Exact steps to reproduce, the relevant request/response or code path, and the commit or version you tested.
- The observed result versus the expected result.
- For client-side, UI, or authentication-flow bugs: a short screen recording (≤ 2 minutes) showing the exploit working end-to-end on a real Puter instance.
- For server-side bugs: a runnable proof-of-concept.
Reports based solely on reading the source ("source review only, not tested") or unverified AI/LLM-generated reports are the lowest triage priority and are generally not eligible. If you used an AI tool to help find an issue, you must personally verify that it actually reproduces before submitting.
Please submit one issue per report. Bundled "audit packs" of many speculative findings will be declined; send each confirmed issue separately.
Reporting Process
To report a vulnerability, email us at: security@puter.com. Include:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested remediation (if available)
We aim to acknowledge receipt within 72 hours and provide a resolution timeline.
Reward Structure
We offer monetary rewards based on the severity of the vulnerability, as determined by our internal assessment (using CVSS as a guide).
- Critical: $1,000 – $2,000
- High: $500 – $1,000
- Medium: $200 – $500
- Low: $50 – $100
Non-security issues, suggestions, and best practices feedback are always welcome, but may not qualify for a reward. If multiple researchers report the same issue, the bounty will be awarded to the first eligible report we receive.
Payments Disclaimer
All reward amounts are guidelines only. Final decisions about eligibility, severity classification, and payout amount are made at the sole discretion of the Puter security team. We reserve the right to determine whether a report qualifies for a bounty, and whether any payment will be issued at all. Submitting a report does not guarantee compensation.
Payment Method Requirement
At this time, payments will only be made via PayPal. To be eligible to receive a bounty, researchers must have a valid PayPal account capable of receiving payments. We are unable to process payments through other services or methods at this time.
Legal Safe Harbor
If you make a good-faith effort to comply with this policy, we will consider your research to be authorized. If you inadvertently access data outside your own account, stop immediately and include details in your report so we can investigate and remediate.