Firewall (the service.rs core landed in efb1ba2): scope the web-console rule
(TCP 47992) to Domain+Private by default with a `--allow-public-network` opt-in
that deletes-then-re-adds the rule, and add the installer "Allow connections on
Public networks" task (unchecked) forwarding the flag to `service install` and
`web setup`. Default is now trusted-networks-only; Public is explicit.
Vulnerability disclosure: SECURITY.md (report to security@punktfunk.com, scope,
SLAs, safe harbor), a Gitea issue-template contact link, a README security line,
and a Reporting section on the docs Security page.
Docs: the Security page now documents the Private/Domain firewall default (and
how to fix a misclassified-Public network / opt in); removed internal design-doc
and CLAUDE.md links from the user-facing docs.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
3.1 KiB
Security Policy
punktfunk is a low-latency desktop/game streaming stack. A host is effectively remote control of a machine, so we take security reports seriously and appreciate responsible disclosure.
Reporting a vulnerability
Please report security issues privately by email to security@punktfunk.com.
Do not open a public issue, pull request, or chat/forum post for a suspected vulnerability — that exposes other users before a fix exists.
What to include
The more of this you can give us, the faster we can act:
- The component and version (e.g.
punktfunk-host 0.6.0, Windows or Linux, which client). - The impact — what an attacker can do, and from what position (same LAN, a local service account, admin, a paired client, …).
- Steps to reproduce, a proof-of-concept, or a crash/log if you have one.
- Any suggested fix or mitigation (optional).
What to expect
We're a small team, so timelines are best-effort, but we commit to:
- Acknowledge your report within 3 business days.
- Give an initial assessment (severity + whether we can reproduce) within about 7 days.
- Keep you updated, and tell you when a fix ships.
- Credit you in the advisory / release notes when the fix is public — unless you'd rather stay anonymous.
We practice coordinated disclosure: please give us reasonable time to release a fix before publishing details. We aim to resolve valid issues within 90 days and will agree a disclosure date with you.
Scope
In scope — the code in this repository:
- The host (
punktfunk-host), its Windows drivers, and the protocol/crypto core (punktfunk-core). - The native clients (Apple, Linux, Windows, Android), the web management console, and the management API.
Known limits — documented behavior, not vulnerabilities (see https://docs.punktfunk.unom.io/docs/security):
- Admin/SYSTEM already on the host = out of scope. An attacker who is already administrator or SYSTEM on the host owns the machine regardless of punktfunk.
- The virtual display is a real monitor — any process already in the interactive desktop session can capture it via the normal OS screen-capture APIs, exactly as it could a physical monitor.
- GameStream/Moonlight compatibility (
--gamestream) uses legacy encryption and is documented as opt-in, trusted-LAN-only. - Public-internet exposure is unsupported — issues that only arise from exposing the host to the WAN are expected; keep the host on a trusted LAN or a VPN.
If you're unsure whether something is in scope, report it anyway — we'd rather hear about it.
Safe harbor
We consider good-faith security research that follows this policy to be authorized, and we won't pursue legal action against researchers who:
- make a good-faith effort to avoid privacy violations, data loss, and service disruption,
- only test systems they own or have explicit permission to test,
- give us reasonable time to remediate before public disclosure,
- don't exfiltrate more data than needed to demonstrate the issue.
Thank you for helping keep punktfunk and its users safe.