Postman Security bug bounty program
Bug bounty program
Postman has aimed to ease the life of developers working with APIs since its inception and has worked hard to bring the best API development tool to millions of developers around the world.
We appreciate the efforts of everybody towards making Postman a secure collaboration platform for API development. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will work with you to resolve the issue promptly.
Important: Non-security bugs, general best practice violation and queries about problems (this includes password problems, suspected fraud and account abuse issues) with your account should be instead directed here. This would ensure that we can reach out to you efficiently.
Advisories
For Postman to be able to effectively address and resolve the security issues, the report must contain information pertaining to the impact of the vulnerability under realistic scenarios without needing to actually exploit the vulnerability.
Scope
You can find more information about the exact details of the program at our HackerOne page.
Eligibility
Non-qualifying vulnerabilities
Being a developer tool, certain aspects of the product or service might appear vulnerable superficially. However, care is taken to address them using other means. Adding to that, certain classes of vulnerabilities are considered out of scope owing to the development stage of the service. Please also note that vulnerabilities found on third-party services are considered out of scope. Issues that are out of scope includes but are not limited to:
Disclosure policy
Thanks!
We believe in recognizing the work of others. If your work helps us improve the security of our product and/or service, we'd be happy to reward your work accordingly.
Thank you for helping keep Postman and our users safe!
Postman Security and Trust Portal
Access Postman's security and compliance documents on our Security and Trust Portal, such as penetration testing and audit reports.
June 3 & 4, 2025 in Los Angeles, CA
Step into the future of APIs and AI at POST/CON 25. Join developers, architects, and tech leaders to build smarter, faster, and more secure APIs in the age of generative AI.