Skip to content

Responsible Disclosure

Bullpen CLI is a money-handling command-line tool. If you find a vulnerability, please report it privately so we can verify the issue and coordinate a fix.

How to Report

Open a private support ticket and start the subject with [SECURITY]:

https://bullpen-help.freshdesk.com/support/tickets/new

Do not file public GitHub issues for sensitive reports.

What to Include

Useful reports include:

  • Bullpen CLI version and install channel
  • operating system and CPU architecture
  • exact commands or steps to reproduce
  • expected behavior and actual behavior
  • security impact, including whether funds, credentials, or private customer data could be affected
  • logs or screenshots with secrets redacted

Never send access tokens, refresh tokens, Turnkey credential bundles, private keys, seed phrases, API keys, or raw signing credentials.

Scope

In scope:

  • Bullpen CLI source code and command behavior
  • local credential storage, encryption, recovery, and logout behavior
  • CLI install scripts and update paths
  • npm, Homebrew, GitHub release, and binary distribution artifacts
  • leaked customer data, embedded secrets, or unsafe diagnostics in CLI output

Out of scope:

  • social engineering, phishing, spam, or physical attacks
  • denial-of-service or rate-limit testing without written approval
  • issues in third-party platforms unless Bullpen CLI mishandles them
  • destructive tests, unauthorized trading, or accessing another user's account or funds

Response Target

We aim to acknowledge security reports within 5 business days. Investigation time depends on severity, reproduction complexity, and whether a fix also requires backend or release-distribution changes.

Bounty Status

Bullpen does not currently operate a public paid bug bounty program for CLI reports. Submitting a report does not create an entitlement to payment. We may provide acknowledgement or attribution when appropriate and mutually agreed.

Coordinated Disclosure

Please give us a reasonable opportunity to investigate and remediate before public disclosure. A 90-day disclosure window is a good default unless we agree on a different timeline.

Safe Harbor

We will not pursue legal action for good-faith security research that follows this policy, avoids privacy violations, avoids service disruption, and does not move funds or access accounts without authorization.