puter/BUG-BOUNTY.md

Puter Bug Bounty Program

We at Puter are committed to maintaining a secure experience for our users and community. We greatly value the contributions of security researchers and welcome responsible disclosure of security issues.

Scope

The following are in scope for this program:

• The Puter open-source project (available at github.com/HeyPuter)
• puter.com
• api.puter.com

Out-of-scope:

• Third-party services, applications, or libraries not maintained by Puter.
• Social engineering attacks (e.g., phishing against staff).
• Denial of Service (DoS), spam, or volumetric attacks.
• Physical security issues.

Rules of Engagement

To participate, you must:

1. Report responsibly: Provide detailed steps to reproduce the issue, including proof-of-concept code or screenshots where applicable.
2. Do no harm: Do not exfiltrate, modify, or delete data. Only access your own account or test data.
3. Respect availability: Do not perform denial-of-service attacks or automated scans that degrade service.
4. Follow disclosure policy: Do not publicly disclose vulnerabilities until we have confirmed and patched the issue.
5. Act in good faith: Make every effort to avoid privacy violations, destruction of data, and interruption or degradation of services.

Reports that do not meet these guidelines may not be eligible for a reward.

Reporting Process

To report a vulnerability, email us at: security@puter.com. Include:

• A description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested remediation (if available)

We aim to acknowledge receipt within 72 hours and provide a resolution timeline.

Reward Structure

We offer monetary rewards based on the severity of the vulnerability, as determined by our internal assessment (using CVSS as a guide).

• Critical: $1,000 – $2,000
• High: $500 – $1,000
• Medium: $200 – $500
• Low: $50 – $100

Non-security issues, suggestions, and best practices feedback are always welcome, but may not qualify for a reward. If multiple researchers report the same issue, the bounty will be awarded to the first eligible report we receive.

Payments Disclaimer

All reward amounts are guidelines only. Final decisions about eligibility, severity classification, and payout amount are made at the sole discretion of the Puter security team. We reserve the right to determine whether a report qualifies for a bounty, and whether any payment will be issued at all. Submitting a report does not guarantee compensation.

Payment Method Requirement

At this time, payments will only be made via PayPal. To be eligible to receive a bounty, researchers must have a valid PayPal account capable of receiving payments. We are unable to process payments through other services or methods at this time.

Legal Safe Harbor

If you make a good-faith effort to comply with this policy, we will consider your research to be authorized. If you inadvertently access data outside your own account, stop immediately and include details in your report so we can investigate and remediate.