Six parallel audits swept the root docs, docs-site, every per-directory README, and the packaging docs; every claim below was verified against the source before editing. - README: Layout gains the six missing crates (pf-client-core, pf-presenter, pf-console-ui, pf-ffvk, pf-driver-proto, punktfunk-tray), clients/session, api/ and ci/; Linux/Windows client rows reflect the shell + Vulkan-session split and the Vulkan Video -> VAAPI/D3D11VA -> software decode chains; the "every client over a C ABI" claim is corrected (Rust clients link the core directly); tiered stats overlay + console shell noted; Apple row mentions AV1. - CONTRIBUTING: drop the dead CLAUDE.md link (deliberately untracked); point at the README's build/invariants sections. SECURITY: 0.9.0. - host-cli/pairing: --allow-pairing/--require-pairing are no-op legacy names — pairing is required by default, --allow-tofu is the real flag; document --data-port and --idle-timeout-ms. - configuration: document PUNKTFUNK_RECOVER_SESSION_CMD (session-crash recovery hook), PUNKTFUNK_MDNS, PUNKTFUNK_DATA_PORT. - virtual-displays/gnome: GNOME per-client scaling shipped (host- persisted) — flip the ❌ to ✅ and describe how it works. - stats: new "Detail levels" section (Off/Compact/Normal/Detailed + per-platform cycle gestures); retire the GTK hand-off note. - clients/install-client/status/roadmap: decode chains, Windows client validation narrowed to HDR-only pending, adaptive bitrate, console shell, Apple AV1, Windows host vendor list. - Sub-READMEs: clients/linux rewritten for the re-architecture; session Windows decode rung + d3d11va knob; Windows tiered overlay; Android minSdk 28; decky file table; host zerocopy/ path; scripts port 47992 and steamos-host.md; pf-dualsense source path. - packaging: canary version bases are tag-derived (<next-minor> via pf-version.sh/.ps1), codecs-extra not ffmpeg-full, document the pinned offline-Skia tarball + SKIA_BINARIES_URL and vulkan-headers. - Convert 15 dangling design/*.md links to the punktfunk-planning prose convention (those docs live in the private planning repo). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
3.1 KiB
Security Policy
punktfunk is a low-latency desktop/game streaming stack. A host is effectively remote control of a machine, so we take security reports seriously and appreciate responsible disclosure.
Reporting a vulnerability
Please report security issues privately by email to security@punktfunk.com.
Do not open a public issue, pull request, or chat/forum post for a suspected vulnerability — that exposes other users before a fix exists.
What to include
The more of this you can give us, the faster we can act:
- The component and version (e.g.
punktfunk-host 0.9.0, Windows or Linux, which client). - The impact — what an attacker can do, and from what position (same LAN, a local service account, admin, a paired client, …).
- Steps to reproduce, a proof-of-concept, or a crash/log if you have one.
- Any suggested fix or mitigation (optional).
What to expect
We're a small team, so timelines are best-effort, but we commit to:
- Acknowledge your report within 3 business days.
- Give an initial assessment (severity + whether we can reproduce) within about 7 days.
- Keep you updated, and tell you when a fix ships.
- Credit you in the advisory / release notes when the fix is public — unless you'd rather stay anonymous.
We practice coordinated disclosure: please give us reasonable time to release a fix before publishing details. We aim to resolve valid issues within 90 days and will agree a disclosure date with you.
Scope
In scope — the code in this repository:
- The host (
punktfunk-host), its Windows drivers, and the protocol/crypto core (punktfunk-core). - The native clients (Apple, Linux, Windows, Android), the web management console, and the management API.
Known limits — documented behavior, not vulnerabilities (see https://docs.punktfunk.unom.io/docs/security):
- Admin/SYSTEM already on the host = out of scope. An attacker who is already administrator or SYSTEM on the host owns the machine regardless of punktfunk.
- The virtual display is a real monitor — any process already in the interactive desktop session can capture it via the normal OS screen-capture APIs, exactly as it could a physical monitor.
- GameStream/Moonlight compatibility (
--gamestream) uses legacy encryption and is documented as opt-in, trusted-LAN-only. - Public-internet exposure is unsupported — issues that only arise from exposing the host to the WAN are expected; keep the host on a trusted LAN or a VPN.
If you're unsure whether something is in scope, report it anyway — we'd rather hear about it.
Safe harbor
We consider good-faith security research that follows this policy to be authorized, and we won't pursue legal action against researchers who:
- make a good-faith effort to avoid privacy violations, data loss, and service disruption,
- only test systems they own or have explicit permission to test,
- give us reasonable time to remediate before public disclosure,
- don't exfiltrate more data than needed to demonstrate the issue.
Thank you for helping keep punktfunk and its users safe.