ef39050dbc
windows-drivers / probe-and-proto (push) Successful in 47s
ci / web (push) Successful in 58s
apple / swift (push) Successful in 1m13s
decky / build-publish (push) Successful in 16s
ci / docs-site (push) Successful in 1m19s
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 12s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 9s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 8s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 43s
windows-drivers / driver-build (push) Successful in 1m45s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 55s
ci / bench (push) Successful in 7m18s
flatpak / build-publish (push) Successful in 6m18s
docker / deploy-docs (push) Successful in 25s
windows-host / package (push) Successful in 8m31s
release / apple (push) Successful in 11m41s
android / android (push) Successful in 13m4s
windows-msix / package (arm64, C:\Users\Public\ffmpeg-arm64, --no-default-features, aarch64-pc-windows-msvc, C:\t-a64) (push) Successful in 1m57s
windows-msix / package (x64, C:\Users\Public\ffmpeg, , x86_64-pc-windows-msvc, C:\t) (push) Successful in 2m16s
arch / build-publish (push) Successful in 16m24s
windows / build (aarch64-pc-windows-msvc) (push) Successful in 1m6s
deb / build-publish (push) Successful in 17m54s
windows / build (x86_64-pc-windows-msvc) (push) Successful in 1m27s
ci / rust (push) Successful in 18m23s
apple / screenshots (push) Successful in 5m58s
rpm / build-publish (43, bazzite, punktfunk-fedora-rpm) (push) Successful in 20m24s
rpm / build-publish (44, fedora-44, punktfunk-fedora44-rpm) (push) Successful in 18m43s
Six parallel audits swept the root docs, docs-site, every per-directory README, and the packaging docs; every claim below was verified against the source before editing. - README: Layout gains the six missing crates (pf-client-core, pf-presenter, pf-console-ui, pf-ffvk, pf-driver-proto, punktfunk-tray), clients/session, api/ and ci/; Linux/Windows client rows reflect the shell + Vulkan-session split and the Vulkan Video -> VAAPI/D3D11VA -> software decode chains; the "every client over a C ABI" claim is corrected (Rust clients link the core directly); tiered stats overlay + console shell noted; Apple row mentions AV1. - CONTRIBUTING: drop the dead CLAUDE.md link (deliberately untracked); point at the README's build/invariants sections. SECURITY: 0.9.0. - host-cli/pairing: --allow-pairing/--require-pairing are no-op legacy names — pairing is required by default, --allow-tofu is the real flag; document --data-port and --idle-timeout-ms. - configuration: document PUNKTFUNK_RECOVER_SESSION_CMD (session-crash recovery hook), PUNKTFUNK_MDNS, PUNKTFUNK_DATA_PORT. - virtual-displays/gnome: GNOME per-client scaling shipped (host- persisted) — flip the ❌ to ✅ and describe how it works. - stats: new "Detail levels" section (Off/Compact/Normal/Detailed + per-platform cycle gestures); retire the GTK hand-off note. - clients/install-client/status/roadmap: decode chains, Windows client validation narrowed to HDR-only pending, adaptive bitrate, console shell, Apple AV1, Windows host vendor list. - Sub-READMEs: clients/linux rewritten for the re-architecture; session Windows decode rung + d3d11va knob; Windows tiered overlay; Android minSdk 28; decky file table; host zerocopy/ path; scripts port 47992 and steamos-host.md; pf-dualsense source path. - packaging: canary version bases are tag-derived (<next-minor> via pf-version.sh/.ps1), codecs-extra not ffmpeg-full, document the pinned offline-Skia tarball + SKIA_BINARIES_URL and vulkan-headers. - Convert 15 dangling design/*.md links to the punktfunk-planning prose convention (those docs live in the private planning repo). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
70 lines
3.1 KiB
Markdown
70 lines
3.1 KiB
Markdown
# Security Policy
|
|
|
|
punktfunk is a low-latency desktop/game streaming stack. A host is effectively remote control of a
|
|
machine, so we take security reports seriously and appreciate responsible disclosure.
|
|
|
|
## Reporting a vulnerability
|
|
|
|
**Please report security issues privately by email to security@punktfunk.com.**
|
|
|
|
Do **not** open a public issue, pull request, or chat/forum post for a suspected vulnerability — that
|
|
exposes other users before a fix exists.
|
|
|
|
### What to include
|
|
|
|
The more of this you can give us, the faster we can act:
|
|
|
|
- The component and version (e.g. `punktfunk-host 0.9.0`, Windows or Linux, which client).
|
|
- The impact — what an attacker can do, and from what position (same LAN, a local service account,
|
|
admin, a paired client, …).
|
|
- Steps to reproduce, a proof-of-concept, or a crash/log if you have one.
|
|
- Any suggested fix or mitigation (optional).
|
|
|
|
## What to expect
|
|
|
|
We're a small team, so timelines are best-effort, but we commit to:
|
|
|
|
- **Acknowledge** your report within **3 business days**.
|
|
- Give an **initial assessment** (severity + whether we can reproduce) within about **7 days**.
|
|
- Keep you updated, and tell you when a fix ships.
|
|
- **Credit** you in the advisory / release notes when the fix is public — unless you'd rather stay
|
|
anonymous.
|
|
|
|
We practice **coordinated disclosure**: please give us reasonable time to release a fix before
|
|
publishing details. We aim to resolve valid issues within **90 days** and will agree a disclosure
|
|
date with you.
|
|
|
|
## Scope
|
|
|
|
In scope — the code in this repository:
|
|
|
|
- The host (`punktfunk-host`), its Windows drivers, and the protocol/crypto core (`punktfunk-core`).
|
|
- The native clients (Apple, Linux, Windows, Android), the web management console, and the management
|
|
API.
|
|
|
|
Known limits — documented behavior, not vulnerabilities (see
|
|
https://docs.punktfunk.unom.io/docs/security):
|
|
|
|
- **Admin/SYSTEM already on the host = out of scope.** An attacker who is already administrator or
|
|
SYSTEM on the host owns the machine regardless of punktfunk.
|
|
- **The virtual display is a real monitor** — any process already in the interactive desktop session
|
|
can capture it via the normal OS screen-capture APIs, exactly as it could a physical monitor.
|
|
- **GameStream/Moonlight compatibility** (`--gamestream`) uses legacy encryption and is documented as
|
|
opt-in, trusted-LAN-only.
|
|
- **Public-internet exposure is unsupported** — issues that only arise from exposing the host to the
|
|
WAN are expected; keep the host on a trusted LAN or a VPN.
|
|
|
|
If you're unsure whether something is in scope, report it anyway — we'd rather hear about it.
|
|
|
|
## Safe harbor
|
|
|
|
We consider good-faith security research that follows this policy to be authorized, and we won't
|
|
pursue legal action against researchers who:
|
|
|
|
- make a good-faith effort to avoid privacy violations, data loss, and service disruption,
|
|
- only test systems they own or have explicit permission to test,
|
|
- give us reasonable time to remediate before public disclosure,
|
|
- don't exfiltrate more data than needed to demonstrate the issue.
|
|
|
|
Thank you for helping keep punktfunk and its users safe.
|