Security Audits

Security is a very important concern for us, and we are constantly working to better protect our customers data. One approach we take to better protect our customers is to engage external security companies who audit parts of our software and infrastructure to help us locate potential issues.

We engaged Sakurity to do a black-box penetration test on Pusher Channels in April 2017. We then resolved all the issues they found by May 2017. Their summary can be found below.

We also frequently engage with independent security researchers who responsibly report security vulnerabilities to us. More info on our responsible disclosure program can be found on our security page.

Pusher Security Audit

Date: April 10, 2017

Conditions: 1 week of blackbox pentest

Prepared by: Sakurity Limited

Executive Summary

During this blackbox audit we reviewed all Pusher libraries including Pusher.js. No exploitable issues were found. All attack vectors we outlined back in May 2015 are properly fixed (socket_id is strictly validated) and now there's no way to sign arbitrary strings abusing /pusher/auth endpoints.

All exposed backend services were also tested for common vulnerabilities, and nothing was found.

Core functionality such as subscribing to private-* channels or creating an event is properly secured.