# $10k bounty to break Pydantic's Python interpreter / sandbox > Source: > Published: 2026-06-03 07:47:19+00:00 # Hack Monty - Round 2 Welcome. This is a honeypot. The server behind it executes whatever Python you POST to /run/ inside [pydantic monty](https://github.com/pydantic/monty), our language-level sandbox. There is a secret on this machine. Your job is to find it — by escaping the sandbox. If you do, we'll pay you $10,000 USD. This bounty is sponsored by [Pydantic](https://pydantic.dev?utm_source=bounty), [Prefect](https://www.prefect.io/), and [Hugging Face](https://huggingface.co/). [Also look at the API docs.](/docs/) (or [Redoc](/redoc)) [Grab the hackmonty.py CLI](https://gist.github.com/samuelcolvin/bae1f0017137239396283270325ea19c) to run code here from your terminal. [View the traces](https://logfire-us.pydantic.dev/l/join-samuelcolvin/aJeIaD5KCO) in Pydantic Logfire to see how your code is executed (and everyone else's!). ## Bounty rules & how to participate ## WARNING Anyone can [join the Pydantic Logfire project](https://logfire-us.pydantic.dev/l/join-samuelcolvin/aJeIaD5KCO) to view all requests to hackmonty.com. All http headers (including IP and User-Agent etc.) are collected for requests to `/run/` and `/run/{snapshot_id}/` . ## Bounty rules (**I strongly suggest you read all the rules before participating!**) Most importantly: - **DO NOT ATTEMPT TO SUBMIT CHANGES TO THE MONTY CODEBASE, OR ANY OTHER CODEBASE THAT INTRODUCE NEW SECURITY VULNERABILITIES**. If you do this, or run agents that try to do this, we will block you and report you as a malicious actor. If we find that a pull request has been merged to introduce a vulnerability related to this bounty program anywhere in the dependency tree, we'll stop the bounty program. - We need to see the code you used to find the secret and the secret to pay the full bounty - We'll only pay the bounty once per issue identified, on a first come first serve basis - we'll endeavour to update this blog post ASAP if/when someone finds a vulnerability - We might stop the bounty program at any time What we'll pay the full bounty for: - Finding the file or environment variable secret by identifying a security flaw or vulnerability in Pydantic Monty where you can show the code or technique you used and show us the secret you found What we may pay a partial bounty for (amount to be decided at our discretion): - Finding a security flaw in this app (e.g. a mistake in our server configuration or code) that allows you to read the secret - Finding a security flaw or vulnerability somewhere in the dependency tree of this app (e.g. Pydantic validation, Starlette, Uvicorn, PyO3) that allows you to read the secret - Finding a security flaw in Pydantic Logfire where it instruments this app - this doesn't have to allow you to read the secret, if you find a vulnerability or access to information that shouldn't be visible, please let us know - Finding a vulnerability in Pydantic Monty that allows access or control of the host but doesn't allow you to read the secrets (e.g. rust traceback, OS details, binary path etc., network access, reading or writing to a file you shouldn't have access to) - Finding a vulnerability in Pydantic Monty you to see code (partial or complete) that was previously run in Monty by another user What we will not pay a bounty for, but would still appreciate: - finding a way to cause a crash with malicious code with Monty, e.g. panic, stack overflow, seg fault, unlimited memory allocation or unlimited CPU usage - we'd love you to report any such issue with the code you used, and we'd love to buy you a drink or give you a t-shirt in thanks if we see you at a conference, but we won't pay a bounty for these issues at this time, please [create an issue](https://github.com/pydantic/monty) - finding bugs or cpython compatibility issues with Monty - please [create issues](https://github.com/pydantic/monty)but this isn't part of the bounty program - finding bugs or vulnerability somewhere in the dependency tree of this app - please check if the issue is new and create an issue or security report for that project, but again it's not part of this bounty program What we will not pay a bounty for and strongly discourage (**please don't do this!**): - finding the secret or other vulnerability by changing the code in any library - see the first rule above! - finding the secret via "spear fishing" us (the Pydantic team) or other such mechanisms - finding any security flaw in Render where this app is deployed, if you discover a security issue with Render, please report it [here](https://hackerone.com/render?type=team) - DOS'ing the app or otherwise causing it to be unresponsive or otherwise causing a denial of service - DOS'ing or otherwise causing a service interruption in any other Pydantic service ## How to participate The goal is to read one of the secrets on this machine: either the contents of `/etc/secrets/hackmonth.txt` or the value of the `SECRET` environment variable. Both are set in production and not reachable from a well-behaved sandboxed program. ### Submitting code POST Python source to `/run/` : ``` curl -X POST https://hackmonty.com/run/ \ -H 'content-type: application/json' \ -d '{"code": "print(1 + 1)"}' ``` The response is a JSON *snapshot*. Monty pauses whenever sandboxed code needs something from the outside world — a function call, a name lookup, or a future — and returns a snapshot describing the pause. The server resolves OS-related snapshots (`datetime.now` , `date.today` , `os.environ` , `os.getenv` ) internally against a fake environment, so those never reach you; everything else does. The `/data` directory is a real read-only filesystem mount — sandboxed code can genuinely read files there, e.g. `Path('/data/sample.txt').read_text()` . The contents are not secret (the real secret lives outside `/data` ), but the mount is a legitimate surface for probing filesystem-related sandbox behaviour. ### Resuming POST the resume payload to `/run/{snapshot_id}/` . The `kind` in the body must match the snapshot's kind or you'll get a 400. A single program will typically require many resumes before it either completes or surrenders the secret. See the [Swagger docs](/docs) or [Redoc docs](/redoc) for the full request and response schemas. ### Request secret To let us confirm it was really *you* who found the secret, you may want to include a `User` header on your requests. The header value should be the SHA-256 hex digest of some unique secret only you know (a random string, passphrase, UUID — anything). Keep the plaintext to yourself until you [report the find](https://roast-us.pydantic.dev/hackmonty2); we'll check that its SHA-256 matches a `User` header we recorded from the winning run and that nobody else beat you to it. ``` USER_HASH=$(printf 'my-secret-passphrase' | shasum -a 256 | awk '{print $1}') curl -X POST https://hackmonty.com/run/ \ -H 'content-type: application/json' \ -H "User: $USER_HASH" \ -d '{"code": "print(1 + 1)"}' ``` The CLI at [ hackmonty.py](https://gist.github.com/samuelcolvin/bae1f0017137239396283270325ea19c) accepts a `--user-secret` flag that takes your plaintext secret and sends its SHA-256 as the header on every request: ``` uv run hackmonty.py --user-secret 'my-secret-passphrase' --code 'print(1 + 1)' ``` ### Who we can pay We'd love contributions from any developer, anywhere — but we can only pay the bounty if you have a bank account in a country [approved by GitHub Sponsors](https://docs.github.com/en/sponsors/getting-started-with-github-sponsors/about-github-sponsors#supported-regions-for-github-sponsors), *and* our bank (Mercury) is able to make a transfer to it. If you find something and we can't legally pay you, we'll still credit you publicly and sort out some swag — but please check the list before you spend a week on this expecting a cheque. ### Reporting a find If you've found a vulnerability that you think is worth paying the bounty for, please submit [this](https://roast-us.pydantic.dev/hackmonty2) form. If you want to talk to us about [#monty](https://pydanticlogfire.slack.com/archives/C0AEZ9EQT0F), join our community in [Slack](https://logfire.pydantic.dev/docs/join-slack/). ## Sponsors We're partnering with Prefect and Hugging Face for this round of Hack Monty. ### Prefect Prefect makes FastMCP. We're co-sponsoring Hack Monty because FastMCP 3.1's CodeMode — which lets agents discover and chain tools in Python instead of burning context on full catalogs — runs on Pydantic's Monty by default. We chose Monty because it's lightweight and runs embedded: no extra infrastructure, microsecond startup. Embedded also means a sandbox escape is a host compromise. Funding half of round 2's bounty is the cheapest way to get serious researchers pressure-testing it. ### Hugging Face At Hugging Face we’re building the infrastructure for your agents. We use the fast, embeddable code execution sandbox from Pydantic Monty to simply - and safely - run model generated code in our MCP Server. We’re funding the Round 2 bounty to promote researching and solving security issues in the foundational components of the future.