Hack Monty

Welcome. This is a honeypot. The server behind it executes whatever Python you POST to /run/ inside pydantic monty, our language-level sandbox.

There is a secret on this machine. Your job is to find it — by escaping the sandbox. If you do, we'll pay you $5,000.

Blog post about this.

Also look at the API docs. (or Redoc)

Grab the hackmonty.py CLI to run code here from your terminal.

View the traces in Pydantic Logfire to see what how your code is executed (and everyone else's).

Bounty rules & how to participate

WARNING

Anyone can join the Pydantic Logfire project to view all requests to hackmonty.com. All http headers (including IP and User-Agent etc.) are collected for requests to /run/ and /run/{snapshot_id}/.

Bounty rules (I strongly suggest you read all the rules before participating!)

Bounty amounts

$5,000 — full bounty for a confirmed security flaw in Pydantic Monty that lets you extract the secret
Partial amount (at our discretion) — for vulnerabilities in this app, the dependency tree, or Logfire; or for Monty flaws that don't reach the secret
No bounty — crashes or bugs — though we'd still love to hear about them

Most importantly:

DO NOT ATTEMPT TO SUBMIT CHANGES TO THE MONTY CODEBASE, OR ANY OTHER CODEBASE THAT INTRODUCE NEW SECURITY VULNERABILITIES. If you do this, or run agents that try to do this, we will block you and report you as a malicious actor. If we find that a pull request has been merged to introduce a vulnerability related to this bounty program anywhere in the dependency tree, we'll stop the bounty program.
We need to see the code you used to find the secret and the secret to pay the full bounty
We'll only pay the bounty once per issue identified, on a first come first serve basis - we'll endeavour to update this page ASAP if/when someone finds a vulnerability
We might stop the bounty program at any time

What we'll pay the full bounty for:

Finding the file or environment variable secret by identifying a security flaw or vulnerability in Pydantic Monty where you can show the code or technique you used and show us the secret you found

What we may pay a partial bounty for (amount to be decided at our discretion):

Finding a security flaw in this app (e.g. a mistake in our server configuration or code) that allows you to read the secret
Finding a security flaw or vulnerability somewhere in the dependency tree of this app (e.g. Pydantic validation, Starlette, Uvicorn, PyO3) that allows you to read the secret
Finding a security flaw in Pydantic Logfire where it instruments this app - this doesn't have to allow you to read the secret, if you find a vulnerability or access to information that shouldn't be visible, please let us know
Finding a vulnerability in Pydantic Monty that allows access or control of the host but doesn't allow you to read the secrets (e.g. rust traceback, OS details, binary path etc., network access, reading or writing to a file you shouldn't have access to)
Finding a vulnerability in Pydantic Monty you to see code (partial or complete) that was previously run in Monty by another user

What we will not pay a bounty for, but would still appreciate:

finding a way to cause a crash with malicious code with Monty, e.g. panic, stack overflow, seg fault, unlimited memory allocation or unlimited CPU usage - we'd love you to report any such issue with the code you used, and we'd love to buy you a drink or give you a t-shirt in thanks if we see you at a conference, but we won't pay a bounty for these issues at this time, please create an issue
finding bugs or cpython compatibility issues with Monty - please create issues but this isn't part of the bounty program
finding bugs or vulnerability somewhere in the dependency tree of this app - please check if the issue is new and create an issue or security report for that project, but again it's not part of this bounty program

What we will not pay a bounty for and strongly discourage (please don't do this!):

finding the secret or other vulnerability by changing the code in any library - see the first rule above!
finding the secret via "spear fishing" us (the Pydantic team) or other such mechanisms
finding any security flaw in Render where this app is deployed, if you discover a security issue with Render, please report it here
DOS'ing the app or otherwise causing it to be unresponsive or otherwise causing a denial of service
DOS'ing or otherwise causing a service interruption in any other Pydantic service

How to participate

The goal is to read one of the secrets on this machine: either the contents of /app/secret.txt or the value of the SECRET environment variable. Both are set in production and not reachable from a well-behaved sandboxed program.

Submitting code

POST Python source to /run/:

curl -X POST https://hackmonty.com/run/ \
  -H 'content-type: application/json' \
  -d '{"code": "print(1 + 1)"}'

The response is a JSON snapshot. Monty pauses whenever sandboxed code needs something from the outside world — a function call, a name lookup, or a future — and returns a snapshot describing the pause. The server resolves OS-related snapshots (datetime.now, date.today, os.environ, os.getenv) internally against a fake environment, so those never reach you; everything else does.

Resuming

POST the resume payload to /run/{snapshot_id}/. The kind in the body must match the snapshot's kind or you'll get a 400. A single program will typically require many resumes before it either completes or surrenders the secret.

See the Swagger docs or Redoc docs for the full request and response schemas.

Request secret

To let us confirm it was really you who found the secret, you may want to include a User header on your requests. The header value should be the SHA-256 hex digest of some unique secret only you know (a random string, passphrase, UUID — anything). Keep the plaintext to yourself until you report the find; we'll check that its SHA-256 matches a User header we recorded from the winning run and that nobody else beat you to it.

USER_HASH=$(printf 'my-secret-passphrase' | shasum -a 256 | awk '{print $1}')
curl -X POST https://hackmonty.com/run/ \
  -H 'content-type: application/json' \
  -H "User: $USER_HASH" \
  -d '{"code": "print(1 + 1)"}'

The CLI at hackmonty.py accepts a --user-secret flag that takes your plaintext secret and sends its SHA-256 as the header on every request:

uv run hackmonty.py --user-secret 'my-secret-passphrase' --code 'print(1 + 1)'

Who we can pay

We'd love contributions from any developer, anywhere — but we can only pay the bounty if you have a bank account in a country approved by GitHub Sponsors, and our bank (Mercury) is able to make a transfer to it. If you find something and we can't legally pay you, we'll still credit you publicly and sort out some swag — but please check the list before you spend a week on this expecting a cheque.

Reporting a find

If you've found a vulnerability that you think is worth paying the bounty for, please submit this form.