Postman Security Bug Bounty Program
Postman has aimed to ease the life of developers working with APIs since its inception and has worked hard to bring the best API development tool to millions of developers around the world.
We appreciate the efforts of everybody towards making Postman a secure tool to work with. If you believe you’ve found a security issue in our product or service, we encourage you to notify us. We will work with you to resolve the issue promptly.
Important Non-security bugs, general best practice violation and queries about problems (this includes password problems, suspected fraud and account abuse issues) with your account should be instead directed here. This would ensure that we can reach out to you efficiently.
For Postman to be able to effectively address and resolve the security issues, the security report must contain information pertaining to the impact of the vulnerability under realistic scenarios without needing to actually exploit the vulnerability.
- Please use test accounts to research security issues that are likely to compromise privacy of other users. Interact with accounts you own or with explicit permission of the account holder.
- Automated scanning tools generate a lot of false positives. Please refrain from using automated tools to report vulnerabilities.
- Do not perform DoS or DDoS attacks.
- If you need more information around our services or stack for reporting a particular vulnerability, please feel free to contact us.
- APIs and allied services on the domain postman.com and postman.co excluding services that do not access user data (example: blog.postman.com, docs.postman-echo.com, support.getpostman.com, httpbin.org).
- Postman native app, desktop agent and chrome extensions.
- Services served via the domain
You can find more information about the exact details of the program at our HackerOne page.
We spend time analysing every vulnerability that is reported. However, being a small team, we need to place some eligibility criteria to make the process manageable.
- You should report using our security reporting page hosted on HackerOne - https://hackerone.com/postman. To get your invite on HackerOne, send us an email to firstname.lastname@example.org with a summary of the nature of issue you want to report.
- You should be the first reporter of the vulnerability. A known vulnerability might exist that has been already identified internally or by someone else. We will make sure to notify you if that is the case.
- Please ensure that the vulnerability is limited to a service that is associated with the scope and surface discussed in this document. However, if you feel that something outside the mentioned scope can affect the Postman Community, we are open to discussion.
- In order to ensure that a vulnerability is resolved before it is exploited with malicious intent, it must not be publicly disclosed prior to resolution. Resolution of some low-impact vulnerabilities may take time, we appreciate your patience.
- Your vulnerability report should not contain proof-of-concept using any real user account.
- Issues of the same nature should be reported under a common vulnerability report. Kindly refrain from splitting up a common source or class of vulnerabilities into multiple reports as that will slow down resolution and credibility of subsequent reports.
- The vulnerability report must contain all information (such as IP address, username etc.) that will allow us to track and isolate the activities performed by you.
Being a developer tool, certain aspects of the product or service might appear vulnerable superficially. However, care is taken to address them using other means. Adding to that, certain classes of vulnerabilities are considered out of scope owing to the development stage of the service.
- Attacks requiring physical access to a user’s device or a user’s local network.
- Issues where data is sniffed using MITM or other network tools within the affected user’s local network (this does not include features of client-side encryption of user data or login data).
- If we are unable to isolate the vulnerability testing activities using one or more of: testing time frame, IP-address, http client agent, etc.
- Policies pertaining to account authentication and recovery is considered low impact.
- Clickjacking on static websites / content spoofing / text injection / self-XSS or missing security headers in network communication which do not lead directly to a vulnerability.
- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms or for users who have intentionally reduced security settings on a user’s platform.
- Denial of service attacks caused only by a large volume of requests or massive brute-force attempts. (We are open to hearing about low-complexity brute-force attempts).
- Issues related to software or protocols not under Postman’s control or disclosure of public information and information that does not present significant risk.
- Remote code execution in services that is intended to provide remote code execution within a sandbox as a service and reports that we determine to be an accepted risk owing to the nature of our service.
- Since we provide services that allow us to host user’s data publicly, please refrain from reporting issues where users of our service have accidentally exposed their data.
- Social engineering (including phishing) of Postdot Technologies Inc. staff or any physical attempts against Postdot Technologies Inc. property.
- Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party in case any breach is discovered arising from the vulnerability.
- For the best interest of Postman Community, Postdot Technologies reserves the right to not disclose a vulnerability to public in case a breach was not discovered prior to resolution.
- Adhere to HackerOne’s disclosure guidelines.
We believe in recognizing the work of others. If your work helps us improve the security of our website, we'd be happy to acknowledge your work in our Hall of Fame.
Thank you for helping keep Postman and our users safe!