PubNub Bug Bounty Program

Introduction

PubNub is committed to maintaining the highest standards of security for our real-time communication platform and has a Bug Bounty program that demonstrates our commitment to protecting our customers' data. Our Bug Bounty Program invites security researchers to help identify and report potential security vulnerabilities in our systems which covers the PubNub Platform, Admin Portal, Website, and all official SDKs.

Scope

In-Scope Assets

  • PubNub Platform and API Infrastructure, Real-time Messaging Infrastructure

  • Admin Dashboard

  • Official Website (pubnub.com)

  • Official SDKs and Client Libraries

Out-of-Scope Assets

  • Third-party Applications (The PubNub Bounty program does not extend to third-party services.)

  • Test Environments and Sandbox Systems

  • Example Code Repositories

  • Demo Applications

  • Infrastructure Provider Systems (e.g., AWS, Google Cloud)

Eligible Vulnerabilities

We accept reports for the following types of vulnerabilities:

  • Remote Code Execution (RCE)

  • SQL Injection

  • Authentication Bypass

  • Authorization Flaws

  • Cross-Site Scripting (XSS)

  • Information Disclosure

  • API Security Vulnerabilities

  • Secure Storage Issues

  • Cryptographic Vulnerabilities

Out-of-Scope Issues

The following are not eligible for bounties:

  • Misconfigurations in Test Environments

  • Social Engineering Attacks

  • Physical Security Attacks

  • Denial of Service (DoS/DDoS) Attacks

  • Rate Limiting Issues

  • Security Headers Missing

  • Self-XSS

  • Clickjacking on Non-sensitive Pages

  • Theoretical Vulnerabilities without Proof of Concept

Automated and AI-Generated Submissions

  • Reports generated by automated scanning tools (e.g., Nessus, Burp Scanner, Nuclei) without manual validation and a hand-crafted exploit demonstrating specific impact

  • Generic vulnerability descriptions not specific to PubNub's implementation

  • Reports generated primarily by AI/LLM tools without human verification (see AI-Assisted Submissions below)

PubNub welcomes the use of AI tools as long as they enhance, rather than replace, careful human analysis and validation.

AI-Assisted Vulnerability Reports

PubNub recognizes that AI tools may assist security researchers in their work. However, all submissions must reflect genuine, independently verified security findings.

If you use AI or LLM tools to assist in preparing your report, you must:

  1. Disclose AI usage. Indicate which tools were used and how (e.g., code analysis, report drafting, exploit generation).

  2. Manually verify all findings. Confirm the vulnerability is real, reproducible, and based on actual PubNub code, APIs, or infrastructure. You must be able to explain the vulnerability in your own words and respond to technical follow-up questions.

  3. Avoid fabricated content. Reports containing hallucinated code, fictitious API endpoints, placeholder exploit text, or references to non-existent PubNub features will be rejected immediately.

  4. Accept full accountability. You remain fully responsible for the accuracy of your submission regardless of AI tool usage.

Prohibited conduct:

  • Automated delivery of reports from AI systems, agents, scanners, scripts, or browser automation frameworks without human review and validation.

  • Mass-generated or bulk submissions produced by AI with minimal human verification.

  • Submitting reports containing hallucinated vulnerabilities, vague or incorrect technical content, or other forms of low-effort noise.

Consequences:

Reports that appear to be unverified AI output will be closed without response and are ineligible for bounty. Repeated low-quality or AI-generated submissions will result in a permanent ban from the program. PubNub reserves the right to reject any submission it determines was not the product of genuine human security research.

Reporting Process

  1. Submit reports to support@pubnub.com

  2. Include in your report:

    • Detailed description of the vulnerability

    • Step-by-step reproduction instructions

    • Proof of concept

    • Impact assessment

    • Suggested remediation

  3. Provide screenshots or video demonstrations where applicable

  4. Include your contact information for follow-up

Severity

Severity is determined based on:

  • Impact on system security

  • Ease of exploitation

  • Affected user base

  • Potential data exposure

Payout Process

Once the report is reviewed and the Bug Bounty award is allocated, the award is paid using PayPal.

Safe Harbor

Security researchers who:

  • Comply with this policy

  • Make good-faith efforts to avoid privacy violations

  • Avoid service disruption

  • Do not access customer data

will not be subject to legal action for their research.

Testing Guidelines

  • Avoid automated scanning tools

  • Do not access or modify customer data

  • Report vulnerabilities promptly

  • Maintain confidentiality until resolved

Contact

For questions about this program:

PubNub reserves the right to modify this policy at any time. All changes will be posted on our security portal.

***

PubNub Bug Bounty Program Terms and Conditions

Revised January 13, 2025

  1. PubNub Security Bounty awards are granted solely at PubNub's exclusive discretion.

  2. PubNub reserves the right to immediately remove you from the PubNub Bug Bounty program if you violate any PubNub Terms and Conditions, including this Bug Bounty Program Terms and Conditions.

  3. For a reported security vulnerability affecting any PubNub platform to be eligible for a bounty award, you must not disclose it to anyone other than PubNub until after PubNub has released a software update and published a security advisory for the reported security vulnerability.

  4. The participant must comply with all applicable laws (including directives, regulations, and ordinances), including those of the country or region in which you reside or in which you download or use PubNub software or services.

  5. PubNub reserves the right to reject any submission it determines was not the product of genuine human security research, including reports that are primarily AI-generated, agent-generated, or produced by automated systems without meaningful human verification and validation.

  6. PubNub reserves the right to permanently ban researchers who repeatedly submit low-quality, non-applicable, or AI-generated reports.

  7. Exclusions.

    • You are responsible for the payment of all applicable taxes.

    • Any awards not accepted within one year, or waived, shall become ineligible for issuance.

    • PubNub Bug Bounty awards may not be paid to you if you are in any U.S. embargoed countries or if you are on the U.S. Treasury Department's list of Specially Designated Nationals, the U.S. Department of Commerce Denied Person's List or Entity List, or any other restricted party lists.