Files
enricobuehler b9fde03f1e feat(security): finish Windows firewall Public opt-in wiring + vuln-disclosure + doc cleanup
Firewall (the service.rs core landed in efb1ba2): scope the web-console rule
(TCP 47992) to Domain+Private by default with a `--allow-public-network` opt-in
that deletes-then-re-adds the rule, and add the installer "Allow connections on
Public networks" task (unchecked) forwarding the flag to `service install` and
`web setup`. Default is now trusted-networks-only; Public is explicit.

Vulnerability disclosure: SECURITY.md (report to security@punktfunk.com, scope,
SLAs, safe harbor), a Gitea issue-template contact link, a README security line,
and a Reporting section on the docs Security page.

Docs: the Security page now documents the Private/Domain firewall default (and
how to fix a misclassified-Public network / opt in); removed internal design-doc
and CLAUDE.md links from the user-facing docs.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-03 14:08:17 +00:00

3.1 KiB

Security Policy

punktfunk is a low-latency desktop/game streaming stack. A host is effectively remote control of a machine, so we take security reports seriously and appreciate responsible disclosure.

Reporting a vulnerability

Please report security issues privately by email to security@punktfunk.com.

Do not open a public issue, pull request, or chat/forum post for a suspected vulnerability — that exposes other users before a fix exists.

What to include

The more of this you can give us, the faster we can act:

  • The component and version (e.g. punktfunk-host 0.6.0, Windows or Linux, which client).
  • The impact — what an attacker can do, and from what position (same LAN, a local service account, admin, a paired client, …).
  • Steps to reproduce, a proof-of-concept, or a crash/log if you have one.
  • Any suggested fix or mitigation (optional).

What to expect

We're a small team, so timelines are best-effort, but we commit to:

  • Acknowledge your report within 3 business days.
  • Give an initial assessment (severity + whether we can reproduce) within about 7 days.
  • Keep you updated, and tell you when a fix ships.
  • Credit you in the advisory / release notes when the fix is public — unless you'd rather stay anonymous.

We practice coordinated disclosure: please give us reasonable time to release a fix before publishing details. We aim to resolve valid issues within 90 days and will agree a disclosure date with you.

Scope

In scope — the code in this repository:

  • The host (punktfunk-host), its Windows drivers, and the protocol/crypto core (punktfunk-core).
  • The native clients (Apple, Linux, Windows, Android), the web management console, and the management API.

Known limits — documented behavior, not vulnerabilities (see https://docs.punktfunk.unom.io/docs/security):

  • Admin/SYSTEM already on the host = out of scope. An attacker who is already administrator or SYSTEM on the host owns the machine regardless of punktfunk.
  • The virtual display is a real monitor — any process already in the interactive desktop session can capture it via the normal OS screen-capture APIs, exactly as it could a physical monitor.
  • GameStream/Moonlight compatibility (--gamestream) uses legacy encryption and is documented as opt-in, trusted-LAN-only.
  • Public-internet exposure is unsupported — issues that only arise from exposing the host to the WAN are expected; keep the host on a trusted LAN or a VPN.

If you're unsure whether something is in scope, report it anyway — we'd rather hear about it.

Safe harbor

We consider good-faith security research that follows this policy to be authorized, and we won't pursue legal action against researchers who:

  • make a good-faith effort to avoid privacy violations, data loss, and service disruption,
  • only test systems they own or have explicit permission to test,
  • give us reasonable time to remediate before public disclosure,
  • don't exfiltrate more data than needed to demonstrate the issue.

Thank you for helping keep punktfunk and its users safe.