Postman Security bug bounty program

Postman has aimed to ease the life of developers working with APIs since its inception and has worked hard to bring the best API development tool to millions of developers around the world.

We appreciate the efforts of everybody towards making Postman a secure collaboration platform for API development. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will work with you to resolve the issue promptly.

Important: Non-security bugs, general best practice violation and queries about problems (this includes password problems, suspected fraud and account abuse issues) with your account should be instead directed here. This would ensure that we can reach out to you efficiently.

Advisories

For Postman to be able to effectively address and resolve the security issues, the report must contain information pertaining to the impact of the vulnerability under realistic scenarios without needing to actually exploit the vulnerability.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Please use test accounts to research security issues that are likely to compromise the privacy of other users. Interact with accounts you own or with the explicit permission of the account holder.
• Automated scanning tools generate a lot of false positives. Please refrain from using automated tools to report vulnerabilities.
• Do not perform DoS or DDoS attacks.
• If you need more information about our services or stack for reporting a particular vulnerability, please feel free to contact us.

• APIs and allied services on the domain getpostman.com, postman.com and postman.co excluding services that do not access user data.

  • Some examples that are out of scope, however, please note that this is not an exhaustive list: www.postman.com, www.getpostman.com, Postman blog assets (blog.postman.com), status.postman.com, status.getpostman.com, store.postman.com, learning.postman.com, *.postman-echo.com, support.postman.com, community.postman.com, looker.postman.co, httpbin.org, postman.atlassian.net).

• https://github.com/postmanlabs/newman

  • Newman is a command-line collection runner for Postman. You can find more information about Newman on our learning center doc here.

• https://github.com/postmanlabs/postman-sandbox

  • Sandbox for Postman scripts to run in Node.js or browser.

• https://github.com/postmanlabs/postman-runtime

  • This is the Postman runtime library that supports request sending and collection running in the Postman app and allied systems (Postman Monitoring, Newman).

• Postman native app and Postman agent.

  • Here is a blog post which you may refer to for more information on the Postman agent.

• dl.pstmn.io and dl-agent.pstmn.io.

You can find more information about the exact details of the program at our HackerOne page.

• You should report using our security reporting page hosted on HackerOne - https://hackerone.com/postman. To get your invite on HackerOne, send us an email to security@postman.com with a summary of the nature of the issue you want to report.
• You should be the first reporter of the vulnerability. A known vulnerability might exist that has been already identified internally or by someone else. We will make sure to notify you if that is the case.
• Please ensure that the vulnerability is limited to a service that is associated with the scope and surface discussed in this document. However, if you feel that something outside the mentioned scope can affect Postman, we are open to discussion.
• To ensure that a vulnerability is resolved before it is exploited with malicious intent, it must not be publicly disclosed prior to resolution. Resolution of some low-impact vulnerabilities may take time, we appreciate your patience.
• Your vulnerability report should not contain proof-of-concept using an account that you do not own or have permission for.
• Issues of the same nature should be reported under a common vulnerability report. Kindly refrain from splitting up a common source or class of vulnerabilities into multiple reports as that will slow down the resolution and credibility of subsequent reports.
• The vulnerability report must contain all information (such as IP address, username, etc.) that will allow us to track and isolate the activities performed by you.

Being a developer tool, certain aspects of the product or service might appear vulnerable superficially. However, care is taken to address them using other means. Adding to that, certain classes of vulnerabilities are considered out of scope owing to the development stage of the service. Please also note that vulnerabilities found on third-party services are considered out of scope. Issues that are out of scope includes but are not limited to:

• Attacks requiring physical access to a user's device or a user's local network.
• Issues where data is sniffed using MITM or other network tools within the affected user's local network (this does not include features of client-side encryption of user data or login data).
• Clickjacking on static websites / content spoofing / text injection / self-XSS or missing security headers in network communication which do not lead directly to a vulnerability.
• Missing best practices in Content Security Policy.
• Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.).
• Vulnerabilities only affecting users of outdated or unpatched browsers / platforms.
• Denial of service attacks caused only by a large volume of requests or massive brute-force attempts.
• Issues related to software or protocols not under Postman's control or disclosure of public information and information that does not present significant risk.
• Remote code execution in services that is intended to provide remote code execution within a sandbox as a service and reports that we determine to be an accepted risk owing to the nature of our service.
• We provide services that give our users the ability to publicly display any of their data. As indicated in our shared-responsibility model, end users have to ensure that they follow safe practices. However, if you become aware of any security concerns specific to our users and how they are using Postman, please feel free to contact us, and we will reach out to the user on your behalf.
• Social engineering (including phishing) of Postman, Inc. staff or any physical attempts against Postman, Inc. property.
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
• Open redirect - unless an additional security impact can be demonstrated.
• IP stealing through images in markdown.
• Missing HttpOnly or Secure flags on cookies.
• Issues related to the usage of vulnerable libraries without an exploit.
• Issues related to rate limiting (we are mindful of the lack of rate limiting in some places and are currently working on a product-wide solution to address this).
• Disclosure of internal IP address.
• CSRF without any security impact.
• 'Best practice' recommendations without an exploit.
• Findings from automated tools without an exploit.
• Weak password policies.
• User/Team enumeration.
• Session fixation.
• Tabnabbing.
• HTTP communication on ra.postman.co.

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party in case any breach is discovered arising from the vulnerability.
• For the best interest of the Postman Community, Postman, Inc. reserves the right to not disclose a vulnerability to the public in case a breach was not discovered prior to resolution.
• Adhere to HackerOne's disclosure guidelines.

We believe in recognizing the work of others. If your work helps us improve the security of our product and/or service, we'd be happy to reward your work accordingly.

Thank you for helping keep Postman and our users safe!