Postman Security Bounty Program

An overview of our security reporting and bounty program

Postman has aimed to ease the life of developers working with APIs since its inception and has worked hard to bring the best API development tool to millions of developers around the world. Developing a GUI driven REST client is a consuming affair and our small team works hard to bring you the best tool with security as a high priority aspect.

We appreciate the efforts of everybody towards making Postman a secure tool to work with. If you believe you’ve found a security issue in our product or service, we encourage you to notify us. We will work with you to resolve the issue promptly.

For Postman to be able to effectively address and resolve the security issues, the security report must contain information pertaining to the impact of the vulnerability under realistic scenarios without needing to actually exploit the vulnerability.

  • Please use test accounts to research security issues that are likely to compromise privacy of other users. Interact with accounts you own or with explicit permission of the account holder.
  • Automated scanning tools put a lot of strain on our servers. Please refrain from using automated tools to report vulnerabilities.
  • Do not perform DoS or DDoS attacks. Nevertheless, we are open to listening to hypothetical scenarios that are within our scope to replicate on a small scale.
  • If you need more information around our services or stack for reporting a particular vulnerability, please feel free to contact us.

Not every report can be rewarded. We do honestly hope that some reports will be out of sheer goodwill and love for Postman as a product. We do not have a paid bounty program yet, but vulnerabilities that required significant effort from the researcher’s point and have extremely high-risk impact will be considered for financial rewards.

In other cases, we hope to reward you by recognising you on the leaderboard as well as sharing Postman swag and recommendations.

We spend time analysing every vulnerability that is reported. However, being a small team, we need to place some eligibility criteria to make the process manageable.

  • You should report using our security reporting page hosted on HackerOne - https://hackerone.com/postmanlabs. To get your invite on HackerOne, send us an email to security@getpostman.com with a summary of the nature of issue you want to report.
  • You should be the first reporter of the vulnerability. A known vulnerability might exist that has been already identified internally or by someone else. We will make sure to notify you if that is the case.
  • Please ensure that the vulnerability is limited to a service that is associated with the scope and surface discussed in this document. However, if you feel that something outside the mentioned scope can affect the Postman Community, we are open to discussion.
  • We should not be legally prohibited from rewarding you.
  • In order to ensure that a vulnerability is resolved before it is exploited with malicious intent, it must not be publicly disclosed prior to resolution. Resolution of some low-impact vulnerabilities may take time, we appreciate your patience.
  • Your vulnerability report should not contain proof-of-concept using any real user account.
  • Issues of the same nature should be reported under a common vulnerability report. Kindly refrain from splitting up a common source or class of vulnerabilities into multiple reports as that will slow down resolution and credibility of subsequent reports.
  • The vulnerability report must contain all information (such as IP address, username etc.) that will allow us to track and isolate the activities performed by you.

Being a developer tool, certain aspects of the product or service might appear vulnerable superficially. However, care is taken to address them using other means. Adding to that, certain class of vulnerabilities are considered low-impact owing to the development stage of the service.

  • Attacks requiring physical access to a user’s device or a user’s local network is considered low impact.
  • Issues where data is sniffed using MITM or other network tools within the affected user’s local network (this does not include features of client-side encryption of user data or login data).
  • If we are unable to isolate the vulnerability testing activities using one or more of: testing time frame, IP-address, http client agent, etc.
  • Policies pertaining to account authentication and recovery is considered low impact.
  • Clickjacking on static websites / Content spoofing / text injection or missing security headers in network communication which do not lead directly to a vulnerability.
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms or for users who have intentionally reduced security settings on a user’s platform.
  • Denial of service attacks caused only by a large volume of requests or massive brute-force attempts. (We are open to hearing about low-complexity brute-force attempts).
  • Issues related to software or protocols not under Postman’s control or disclosure of public information and information that does not present significant risk.
  • Remote code execution in services that is intended to provide remote code execution within a sandbox as a service and reports that we determine to be an accepted risk owing to the nature of our service.
  • Since we provide services that allows to host user’s data publicly, please refrain from reporting issues where user’s of our service has accidentally exposed their data.
  • Social engineering (including phishing) of Postdot Technologies Inc. staff or any physical attempts against Postdot Technologies Inc. property.
  • Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party in case any breach is discovered arising from the vulnerability.
  • For the best interest of Postman Community, Postdot Technologies reserves the right to not disclose a vulnerability to public in case a breach was not discovered prior to resolution.