PubNub Bug Bounty Program
Introduction
PubNub is committed to maintaining the highest standards of security for our real-time communication platform and has a Bug Bounty program that demonstrates our commitment to protecting our customers' data. Our Bug Bounty Program invites security researchers to help identify and report potential security vulnerabilities in our systems which covers the PubNub Platform, Admin Portal, Website, and all official SDKs.
Scope
In-Scope Assets
PubNub Platform and API Infrastructure, Real-time Messaging Infrastructure
Admin Dashboard
Official Website (pubnub.com)
Official SDKs and Client Libraries
Out-of-Scope Assets
Third-party Applications (The PubNub Bounty program does not extend to third-party services.)
Test Environments and Sandbox Systems
Example Code Repositories
Demo Applications
Infrastructure Provider Systems (e.g., AWS, Google Cloud)
Eligible Vulnerabilities
We accept reports for the following types of vulnerabilities:
Remote Code Execution (RCE)
SQL Injection
Authentication Bypass
Authorization Flaws
Cross-Site Scripting (XSS)
Information Disclosure
API Security Vulnerabilities
Secure Storage Issues
Cryptographic Vulnerabilities
Out-of-Scope Issues
The following are not eligible for bounties:
Misconfigurations in Test Environments
Social Engineering Attacks
Physical Security Attacks
Denial of Service (DoS/DDoS) Attacks
Rate Limiting Issues
Security Headers Missing
Self-XSS
Clickjacking on Non-sensitive Pages
Theoretical Vulnerabilities without Proof of Concept
Reporting Process
Submit reports to support@pubnub.com
Include in your report:
Detailed description of the vulnerability
Step-by-step reproduction instructions
Proof of concept
Impact assessment
Suggested remediation
Provide screenshots or video demonstrations where applicable
Include your contact information for follow-up
Severity
Severity is determined based on:
Impact on system security
Ease of exploitation
Affected user base
Potential data exposure
Payout Process
Once the report is reviewed and the Bug Bounty award is allocated, the award is paid using PayPal.
Legal Considerations
Safe Harbor
Security researchers who:
Comply with this policy
Make good-faith efforts to avoid privacy violations
Avoid service disruption
Do not access customer data
will not be subject to legal action for their research.
Testing Guidelines
Avoid automated scanning tools
Do not access or modify customer data
Report vulnerabilities promptly
Maintain confidentiality until resolved
Contact
For questions about this program:
Email: support@pubnub.com
Security Portal: https://www.pubnub.com/trust/security/
PubNub reserves the right to modify this policy at any time. All changes will be posted on our security portal.
***
PubNub Bug Bounty Program Terms and Conditions
Revised January 13, 2025
PubNub Security Bounty awards are granted solely at PubNub’s exclusive discretion.
PubNub reserves the right to immediately remove you from the PubNub Bug Bounty program if you violate any PubNub Terms and Conditions, including this Bug Bounty Program Terms and Conditions.
For a reported security vulnerability affecting any PubNub platform to be eligible for a bounty award, you must not disclose it to anyone other than PubNub until after PubNub has released a software update and published a security advisory for the reported security vulnerability.
The participant must comply with all applicable laws (including directives, regulations, and ordinances), including those of the country or region in which you reside or in which you download or use PubNub software or services.
Exclusions.
You are responsible for the payment of all applicable taxes.
Any awards not accepted within one year, or waived, shall become ineligible for issuance.
PubNub Bug Bounty awards may not be paid to you if you are in any U.S. embargoed countries or if you are on the U.S. Treasury Department’s list of Specially Designated Nationals, the U.S. Department of Commerce Denied Person’s List or Entity List, or any other restricted party lists.
