Help clean the world from API vulnerabilities and win prizes!

API usage has grown fast, but API abuse has grown faster, as they have become attack vectors for data breaches, fraud, privilege escalation attacks, and more. But API security is often only carried out once the API is in production - which is too late.

Pynt’s mission is to help developers and testers by generating automated API security tests from existing functional test collections in a few minutes. Start using Pynt’s community version now directly from Postman.


Each participant earns a champion digital badge
for a legit submission (

Submission rules:

Find an app with a bug bounty program or self-hosted open-source with rest API/s. The application should not be deliberately vulnerable (e.g VaMPI).
Write a functional test Postman collection for the open-source application / public API. The functional test collection should adhere to the API documentation.
Run Pynt to discover vulnerabilities in the application.
Run in Postman, it’s free
Once a vulnerability is found (security error, not a warning), disclose the exposure to the application / open-source maintainer to get his acknowledgment of the vulnerability.
Send us a mail to with the subject:
"Pynt competition", and provide the following details:
  • Your full name
  • Signup mail
  • Scan ID (from Pynt’s report)
  • Application name
  • Application / open source repository link
  • Setup instructions (in case it's an open source) so we will be able to verify it
  • Evidence of the application / open-source maintainer acceptance.
Submissions will be accepted till 30-April-2023

Factors that increase the chance of winning:

Vulnerability found in open source
Popularity (stars in case of open source)
Vulnerability CVSS
The vulnerability is exploitable
In addition, submitting multiple vulnerabilities and applications will be aggregated into your score. In case of identical scoring the earlier submission will be favored.

Important Notes

You must adhere to the open source/application owner/bug bounty program rules.
Do NOT publicly disclose any vulnerabilities without official consent from the application / open source owner.
Pynt reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward.
Any kind of vulnerability exploitation is NOT allowed, including making it public or obtaining a profit (other than a reward under this contest).
In addition to the opportunity to get Pynt prize, you will be entitled to the award suggested by the application owner/bug bounty program according to its rules, if exist.
By submitting a bug, participants agree to be bound by the rules stated above.

Sign up to Pynt