Keeping your projects, responses, and user information safe is a top priority at Ballpark. We appreciate the work of the security research community and welcome responsible disclosure of any potential vulnerabilities you may discover in our products or services.
Ballpark does not operate a public bug bounty or reward program. However, we encourage good-faith reports from researchers and commit to reviewing and addressing valid issues promptly.
If you believe you’ve found a security vulnerability, please notify us at [email protected]. We will acknowledge your report within a reasonable timeframe and keep you informed as we investigate.
This page is intended for legitimate security researchers. Please refrain from automated scanning, high-volume submissions, or reports generated for the purpose of seeking rewards. Our priority is meaningful, high-impact security improvements that protect all Ballpark users.
Scope
Our Responsible Disclosure program is limited to security vulnerabilities in Ballpark web applications; do not attempt phishing attacks against our users in any circumstances. Out of concern for the availability of our services to all users, please do not attempt to carry out DoS attacks, spam people, or do other similarly questionable things. Vulnerability testing tools that automatically generate significant volumes of traffic are strictly prohibited. The following sites and applications are in scope for this program:
* ballparkhq.com (TLD Only)
Vulnerabilities reported on other Ballpark properties or applications, such as blog.ballparkhq.com are currently not eligible for monetary rewards.
Non-qualifying vulnerabilities
The following bugs are unlikely to be eligible for a bounty payment
Issues found through automated testing
Scanner output or scanner-generated reports
CVE Vulnerabilities released within the last 60 days
Missing http security headers
Logout and other instances of low-severity Cross-Site Request Forgery
SSL/TLS best practices
Denial of Service attacks or Rate limiting issues
Brute Force attacks
Lack of Captcha
Lack of Secure/HTTPOnly flags on non-sensitive Cookies
Spam including:
SPF and DKIM issues
Content injection
Hyperlink injection in emails
Content Spoofing / text injectionIssues relating password and account recovery policies, such as reset link expiration or password complexityFull-Path Disclosure on any propertyClickjacking/UI redressing with no practical security impactCSRF-able actions that do not require authentication (or a session) to exploitReports related to the following security-related headers:
GraphQL schema discovery or introspection behaviour (including type, field, or directive enumeration).
GraphQL query structure manipulation such as alias repetition, field duplication, or intentionally malformed queries that do not bypass authentication or authorization.
* Bugs that do not represent any security risk
* Security bugs related to third-party applications and services used by Ballpark
* Email signup and verification methods
Social Engineering
Social engineering attacks against our support and security team is strictly prohibited. This will most likely result in your account being closed and no bounty will be awarded.
Disclosure Policy
Let us know as soon as possible via [email protected] upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Thank you for helping keep Ballpark and our users safe and secure!