{"slug": "10k-bounty-to-break-pydantic-s-python-interpreter-sandbox", "title": "$10k bounty to break Pydantic's Python interpreter / sandbox", "summary": "Pydantic, Prefect, and Hugging Face are offering a $10,000 bounty to anyone who can escape the Pydantic Monty Python sandbox and retrieve a secret stored on the hackmonty.com server. The bounty program, hosted on a honeypot server that executes user-submitted Python code, aims to identify security flaws in the sandbox and its dependency tree. Participants must submit their exploit code and the discovered secret to claim the full reward on a first-come, first-served basis.", "body_md": "# Hack Monty - Round 2\n\nWelcome. This is a honeypot. The server behind it executes whatever\nPython you POST to /run/ inside\n[pydantic monty](https://github.com/pydantic/monty), our\nlanguage-level sandbox.\n\nThere is a secret on this machine. Your job is to find it — by escaping the sandbox. If you do, we'll pay you $10,000 USD.\n\nThis bounty is sponsored by [Pydantic](https://pydantic.dev?utm_source=bounty), [Prefect](https://www.prefect.io/), and [Hugging Face](https://huggingface.co/).\n\n[Also look at the API docs.](/docs/) (or\n[Redoc](/redoc))\n\n[Grab the hackmonty.py CLI](https://gist.github.com/samuelcolvin/bae1f0017137239396283270325ea19c)\nto run code here from your terminal.\n\n[View the traces](https://logfire-us.pydantic.dev/l/join-samuelcolvin/aJeIaD5KCO)\nin Pydantic Logfire to see how your code is executed (and everyone\nelse's!).\n\n## Bounty rules & how to participate\n\n## WARNING\n\nAnyone can\n[join the Pydantic Logfire project](https://logfire-us.pydantic.dev/l/join-samuelcolvin/aJeIaD5KCO)\nto view all requests to hackmonty.com. All http headers (including IP\nand User-Agent etc.) are collected for requests to\n`/run/`\n\nand `/run/{snapshot_id}/`\n\n.\n\n##\nBounty rules (**I strongly suggest you read all the rules before\nparticipating!**)\n\nMost importantly:\n\n-\n**DO NOT ATTEMPT TO SUBMIT CHANGES TO THE MONTY CODEBASE, OR ANY OTHER CODEBASE THAT INTRODUCE NEW SECURITY VULNERABILITIES**. If you do this, or run agents that try to do this, we will block you and report you as a malicious actor. If we find that a pull request has been merged to introduce a vulnerability related to this bounty program anywhere in the dependency tree, we'll stop the bounty program. - We need to see the code you used to find the secret and the secret to pay the full bounty\n- We'll only pay the bounty once per issue identified, on a first come first serve basis - we'll endeavour to update this blog post ASAP if/when someone finds a vulnerability\n- We might stop the bounty program at any time\n\nWhat we'll pay the full bounty for:\n\n- Finding the file or environment variable secret by identifying a security flaw or vulnerability in Pydantic Monty where you can show the code or technique you used and show us the secret you found\n\nWhat we may pay a partial bounty for (amount to be decided at our discretion):\n\n- Finding a security flaw in this app (e.g. a mistake in our server configuration or code) that allows you to read the secret\n- Finding a security flaw or vulnerability somewhere in the dependency tree of this app (e.g. Pydantic validation, Starlette, Uvicorn, PyO3) that allows you to read the secret\n- Finding a security flaw in Pydantic Logfire where it instruments this app - this doesn't have to allow you to read the secret, if you find a vulnerability or access to information that shouldn't be visible, please let us know\n- Finding a vulnerability in Pydantic Monty that allows access or control of the host but doesn't allow you to read the secrets (e.g. rust traceback, OS details, binary path etc., network access, reading or writing to a file you shouldn't have access to)\n- Finding a vulnerability in Pydantic Monty you to see code (partial or complete) that was previously run in Monty by another user\n\nWhat we will not pay a bounty for, but would still appreciate:\n\n-\nfinding a way to cause a crash with malicious code with Monty, e.g.\npanic, stack overflow, seg fault, unlimited memory allocation or\nunlimited CPU usage - we'd love you to report any such issue with\nthe code you used, and we'd love to buy you a drink or give you a\nt-shirt in thanks if we see you at a conference, but we won't pay a\nbounty for these issues at this time, please\n[create an issue](https://github.com/pydantic/monty) -\nfinding bugs or cpython compatibility issues with Monty - please\n[create issues](https://github.com/pydantic/monty)but this isn't part of the bounty program - finding bugs or vulnerability somewhere in the dependency tree of this app - please check if the issue is new and create an issue or security report for that project, but again it's not part of this bounty program\n\nWhat we will not pay a bounty for and strongly discourage (**please don't do this!**):\n\n- finding the secret or other vulnerability by changing the code in any library - see the first rule above!\n- finding the secret via \"spear fishing\" us (the Pydantic team) or other such mechanisms\n-\nfinding any security flaw in Render where this app is deployed, if\nyou discover a security issue with Render, please report it\n[here](https://hackerone.com/render?type=team) - DOS'ing the app or otherwise causing it to be unresponsive or otherwise causing a denial of service\n- DOS'ing or otherwise causing a service interruption in any other Pydantic service\n\n## How to participate\n\nThe goal is to read one of the secrets on this machine: either the\ncontents of `/etc/secrets/hackmonth.txt`\n\nor the value of\nthe `SECRET`\n\nenvironment variable. Both are set in\nproduction and not reachable from a well-behaved sandboxed program.\n\n### Submitting code\n\nPOST Python source to `/run/`\n\n:\n\n```\ncurl -X POST https://hackmonty.com/run/ \\\n  -H 'content-type: application/json' \\\n  -d '{\"code\": \"print(1 + 1)\"}'\n```\n\nThe response is a JSON *snapshot*. Monty pauses whenever\nsandboxed code needs something from the outside world — a function\ncall, a name lookup, or a future — and returns a snapshot describing\nthe pause. The server resolves OS-related snapshots\n(`datetime.now`\n\n, `date.today`\n\n,\n`os.environ`\n\n, `os.getenv`\n\n) internally against a\nfake environment, so those never reach you; everything else does.\n\nThe `/data`\n\ndirectory is a real read-only filesystem mount\n— sandboxed code can genuinely read files there, e.g.\n`Path('/data/sample.txt').read_text()`\n\n. The contents are\nnot secret (the real secret lives outside `/data`\n\n), but the\nmount is a legitimate surface for probing filesystem-related sandbox\nbehaviour.\n\n### Resuming\n\nPOST the resume payload to `/run/{snapshot_id}/`\n\n. The\n`kind`\n\nin the body must match the snapshot's kind or you'll\nget a 400. A single program will typically require many resumes before\nit either completes or surrenders the secret.\n\nSee the [Swagger docs](/docs) or\n[Redoc docs](/redoc) for the full request and response\nschemas.\n\n### Request secret\n\nTo let us confirm it was really *you* who found the secret, you may want to\ninclude a `User`\n\nheader on your requests. The header value should be the\nSHA-256 hex digest of some unique secret only you know (a random string,\npassphrase, UUID — anything). Keep the plaintext to yourself until you\n[report the find](https://roast-us.pydantic.dev/hackmonty2); we'll check that\nits SHA-256 matches a `User`\n\nheader we recorded from the winning run and that\nnobody else beat you to it.\n\n```\nUSER_HASH=$(printf 'my-secret-passphrase' | shasum -a 256 | awk '{print $1}')\ncurl -X POST https://hackmonty.com/run/ \\\n  -H 'content-type: application/json' \\\n  -H \"User: $USER_HASH\" \\\n  -d '{\"code\": \"print(1 + 1)\"}'\n```\n\nThe CLI at\n[ hackmonty.py](https://gist.github.com/samuelcolvin/bae1f0017137239396283270325ea19c)\naccepts a\n\n`--user-secret`\n\nflag that takes your plaintext\nsecret and sends its SHA-256 as the header on every request:\n\n```\nuv run hackmonty.py --user-secret 'my-secret-passphrase' --code 'print(1 + 1)'\n```\n\n### Who we can pay\n\nWe'd love contributions from any developer, anywhere — but we can only\npay the bounty if you have a bank account in a country\n[approved by GitHub Sponsors](https://docs.github.com/en/sponsors/getting-started-with-github-sponsors/about-github-sponsors#supported-regions-for-github-sponsors), *and* our bank (Mercury) is able to make a transfer to it.\nIf you find something and we can't legally pay you, we'll still credit\nyou publicly and sort out some swag — but please check the list before\nyou spend a week on this expecting a cheque.\n\n### Reporting a find\n\nIf you've found a vulnerability that you think is worth paying the bounty for, please submit [this](https://roast-us.pydantic.dev/hackmonty2) form.\n\nIf you want to talk to us about [#monty](https://pydanticlogfire.slack.com/archives/C0AEZ9EQT0F), join our community in [Slack](https://logfire.pydantic.dev/docs/join-slack/).\n\n## Sponsors\n\nWe're partnering with Prefect and Hugging Face for this round of Hack Monty.\n\n### Prefect\n\nPrefect makes FastMCP. We're co-sponsoring Hack Monty because FastMCP 3.1's CodeMode — which lets agents discover and chain tools in Python instead of burning context on full catalogs — runs on Pydantic's Monty by default. We chose Monty because it's lightweight and runs embedded: no extra infrastructure, microsecond startup. Embedded also means a sandbox escape is a host compromise. Funding half of round 2's bounty is the cheapest way to get serious researchers pressure-testing it.\n\n### Hugging Face\n\nAt Hugging Face we’re building the infrastructure for your agents. We use the fast, embeddable code execution sandbox from Pydantic Monty to simply - and safely - run model generated code in our MCP Server. We’re funding the Round 2 bounty to promote researching and solving security issues in the foundational components of the future.", "url": "https://wpnews.pro/news/10k-bounty-to-break-pydantic-s-python-interpreter-sandbox", "canonical_source": "https://hackmonty.com/", "published_at": "2026-06-03 07:47:19+00:00", "updated_at": "2026-06-03 08:16:58.342697+00:00", "lang": "en", "topics": ["ai-safety", "ai-research", "ai-tools", "ai-infrastructure", "ai-agents"], "entities": ["Pydantic", "Prefect", "Hugging Face", "Samuel Colvin", "Hack Monty", "Pydantic Logfire", "Monty"], "alternates": {"html": "https://wpnews.pro/news/10k-bounty-to-break-pydantic-s-python-interpreter-sandbox", "markdown": "https://wpnews.pro/news/10k-bounty-to-break-pydantic-s-python-interpreter-sandbox.md", "text": "https://wpnews.pro/news/10k-bounty-to-break-pydantic-s-python-interpreter-sandbox.txt", "jsonld": "https://wpnews.pro/news/10k-bounty-to-break-pydantic-s-python-interpreter-sandbox.jsonld"}}