Simon Tatham (born 3 May 1977) is a British software engineer and free-software author. He is the original author and principal maintainer of PuTTY, a free implementation of SSH, Telnet, and terminal-emulation software for Windows and Unix-like systems.^[3][4] He was also one of the original developers of the Netwide Assembler (NASM) and is the maintainer of Simon Tatham's Portable Puzzle Collection, a set of single-player puzzle games designed to run on multiple platforms.^[5][6]

PuTTY is distributed as free software under the MIT licence.^[3] The O'Reilly reference work SSH, The Secure Shell: The Definitive Guide devoted a chapter to PuTTY, crediting Tatham with creating the suite and writing its manual.^[7] The European Commission selected PuTTY for its EU-FOSSA 2 open-source security audit and bug-bounty programme, which led to the discovery of a vulnerability in the codebase dating from the project's beginning.^[8][9] Tatham has coordinated security releases, including a 2019 fix for vulnerabilities found through the bug-bounty programme and a 2024 patch for a flaw in ECDSA key handling that affected several projects embedding PuTTY code.^[10][11]

As one of NASM's original developers, Tatham contributed to an x86 assembler used in systems-programming and operating-system development.^[5][12] His Portable Puzzle Collection comprises single-player logic games running natively on Windows and Unix, with third-party ports for Android and iOS.^[6][13][14] His personal website also hosts technical essays, including How to Report Bugs Effectively, a guide to writing useful software defect reports.^[15]

Tatham was born on 3 May 1977.^[1] On his personal website, he describes his education as including Leighton Park School in Reading and the University of Cambridge.^[1] He later worked as a compiler and toolchain developer at Arm in Cambridge; in a 2019 Arm engineering article, he wrote that his day job was in Arm's Development Solutions Group, developing Arm Compiler and supporting tools.^[2]

Tatham has described his free-software work as beginning during his school and university years. His personal history notes earlier programming projects, including graphics software and terminal-emulation experiments, before the creation of PuTTY.^[1]

PuTTY is a free implementation of SSH and Telnet for Windows and Unix platforms, together with an xterm terminal emulator.^[3] The project page states that PuTTY is written and maintained primarily by Tatham.^[3] It is distributed as open-source software under the MIT licence and includes companion tools such as PSCP, PSFTP, Plink, Pageant, and PuTTYgen.^[16]

Tatham's account of the program's origin begins with an earlier attempt to combine a Linux Telnet implementation with an xterm front end and port the result to Win32. He later wrote that this approach failed and that he therefore reimplemented a terminal emulator and Telnet client from scratch under the name STel. In 1998, while revising for university examinations, he added an SSH backend, which became PuTTY.^[1]

PuTTY's longevity has made its distribution model a recurring subject in technical coverage. In 2025, The Register described PuTTY as a well-known free and open-source SSH client by Tatham and noted that its official home page remained on Tatham's Chiark-hosted personal web space rather than at the more obvious putty.org domain.^[4] The same report described confusion caused by the unrelated putty.org domain, which was owned by a commercial SSH-software vendor and was not affiliated with Tatham or the PuTTY project.^[4]

PuTTY's role as a security-sensitive network tool has made maintenance and vulnerability handling an important part of the project. In 2019, The Register reported on a set of PuTTY vulnerabilities found through an EU bug-bounty programme and quoted Tatham, described as PuTTY's lead maintainer, explaining that one unreleased host-key-verification bug would have allowed a man-in-the-middle attacker to bypass the SSH host-key system if it had reached a public release.^[10]

In 2024, PuTTY 0.81 fixed CVE-2024-31497, a vulnerability affecting ECDSA keys using the NIST P-521 curve. Risky Business News reported that the bug affected PuTTY versions from 0.67 through 0.80 and also affected software such as FileZilla, WinSCP, TortoiseGit, and TortoiseSVN where those programs embedded PuTTY code.^[11] The report summarised Tatham's explanation that the root cause involved PuTTY's older deterministic nonce-generation system for signatures, developed before Windows provided suitable cryptographic random-number-generation APIs.^[11]

Tatham has also continued to port and optimise PuTTY for new platforms. In a 2019 Arm article, he described porting PuTTY to Windows on Arm and optimising cryptographic code with the Armv8 cryptographic extensions.^[2] He wrote that this work was done in his spare time, although it overlapped with his day job at Arm.^[2]

Tatham was one of the original developers of the Netwide Assembler, commonly known as NASM. The NASM project states that it was originally developed by Tatham and Julian Hall and is now maintained by a team led by H. Peter Anvin.^[5] NASM is an assembler and disassembler for the x86 architecture and has been used in systems-programming, operating-system, bootloader, and low-level software-development contexts.

NASM's later maintainers changed the licence to the simplified two-clause BSD licence as of version 2.07.^[5] Tatham is no longer listed as the active maintainer, but his authorship remains part of the project's official history.^[5]

Tatham maintains a collection of small computer programs implementing one-player puzzle games.^[6] The project page describes the games as running natively on Unix using GTK and on Windows, with playable web versions through Java or JavaScript applets.^[6] Third-party ports have brought the collection to mobile and other platforms, including Android and iOS.^[13][14]

The collection is designed around generated puzzle instances rather than fixed levels. Many of the games are implementations or variants of logic-puzzle genres such as Bridges, Dominosa, Fifteen, Flood, Light Up, Loopy, Mines, Net, Pattern, Pearl, Slant, Solo, Tents, Towers, and Untangle.^[6][13] The Android port describes the collection as open-source, offline playable, and free of advertisements.^[13]

Tatham has continued to maintain the puzzle collection alongside PuTTY and other projects. In 2023 he announced that he could no longer build the macOS version himself because he no longer had a functioning Mac, but said he would help volunteers maintain the Mac front-end code if someone took it over.^[6]

Tatham's personal website includes documentation, essays, and smaller programs in addition to PuTTY and the puzzle collection.^[17] His essay How to Report Bugs Effectively explains how users can give developers enough information to reproduce and diagnose software defects. Its central advice is that a bug report should enable the programmer to see the failure or reproduce it, by giving exact commands, inputs, steps, transcripts, and environmental information where relevant.^[15]

Other software on Tatham's site includes spigot, a command-line exact real-number calculator, and various smaller utilities and experiments.^[17] He has also published mathematical and computing-related writings, including a paper with Gareth Taylor on the peg solitaire problem known as Solitaire Army.^[18]

Independent coverage of Tatham's work has focused primarily on PuTTY. The second edition of O'Reilly's SSH, The Secure Shell: The Definitive Guide devoted a chapter to PuTTY for Windows, describing it as a small, uncomplicated SSH client and crediting Tatham with creating the PuTTY suite, releasing it as free software, and writing its manual.^[7] In 2025, The Register described PuTTY as a well-known free and open-source SSH client by Tatham and discussed confusion caused by the unrelated putty.org domain, which was not affiliated with Tatham or the PuTTY project.^[4]

PuTTY has also been the subject of independent security coverage. In 2019, The Register reported on security fixes released after vulnerabilities were found through an EU-backed bug-bounty programme and identified Tatham as PuTTY's lead maintainer.^[10] The European Commission's EU-FOSSA 2 programme selected PuTTY as one of fifteen open-source projects used by the Commission for security review and bug bounties; BleepingComputer reported that PuTTY had the highest listed reward ceiling among the January 2019 HackerOne programmes.^[8] The Commission later reported that the programme had led to the discovery and repair of a long-standing PuTTY vulnerability dating from the beginning of the project.^[9] In 2024, Risky Business News reported on CVE-2024-31497, a PuTTY vulnerability affecting P-521 ECDSA keys and software that embedded PuTTY code, including FileZilla, WinSCP, TortoiseGit, and TortoiseSVN.^[11]

Tatham's other free-software work has also received independent coverage. Paul Carter's PC Assembly Language uses NASM for its examples and credits Tatham, Julian Hall, John S. Fine, and others with developing the assembler.^[12] The Linux Assembly HOWTO similarly credits Tatham and Hall for NASM.^[19] His Portable Puzzle Collection has been reviewed or covered by All About Symbian, GIGAZINE, and Set Side B, which described the collection's freeware, open-source, cross-platform, and generated-puzzle design.^[20][21][22]

Tatham's essay "How to Report Bugs Effectively" has also circulated outside his own website. Jeff Atwood cited the essay in a 2005 Coding Horror post on bug-reporting practices.^[23]

• PuTTY – SSH, Telnet, serial and terminal-emulation suite for Windows and Unix-like systems.^[3]
• Netwide Assembler – x86 assembler originally developed by Tatham and Julian Hall.^[5]
• Simon Tatham's Portable Puzzle Collection – portable single-player logic-puzzle collection.^[6]
• How to Report Bugs Effectively – essay on writing useful bug reports.^[15]
• spigot – command-line exact real-number calculator.^[17]

• Free software
• Secure Shell
• Terminal emulator

• Official website
• PuTTY
• Simon Tatham's Portable Puzzle Collection
• How to Report Bugs Effectively