An overview of our security reporting and bounty program
Postman has aimed to ease the life of developers working with APIs since its inception and has worked hard to bring the best API development tool to millions of developers around the world. Developing a GUI driven REST client is a consuming affair and our small team works hard to bring you the best tool with security as a high priority aspect.
We appreciate the efforts of everybody towards making Postman a secure tool to work with. If you believe you’ve found a security issue in our product or service, we encourage you to notify us. We will work with you to resolve the issue promptly.
Important Non-security bugs, general best practice violation and queries about problems (this includes password problems, suspected fraud and account abuse issues) with your account should be instead directed here. This would ensure that we can reach out to you efficiently.
For Postman to be able to effectively address and resolve the security issues, the security report must contain information pertaining to the impact of the vulnerability under realistic scenarios without needing to actually exploit the vulnerability.
Not every report can be rewarded. We do honestly hope that some reports will be out of sheer goodwill and love for Postman as a product. We do not have a paid bounty program yet, but vulnerabilities that required significant effort from the researcher’s point and have extremely high-risk impact will be considered for financial rewards.
In other cases, we hope to reward you by recognizing on the leaderboard as well as sharing swags.
We spend time analysing every vulnerability that is reported. However, being a small team, we need to place some eligibility criteria to make the process manageable.
Being a developer tool, certain aspects of the product or service might appear vulnerable superficially. However, care is taken to address them using other means. Adding to that, certain class of vulnerabilities are considered low-impact owing to the development stage of the service.