Security Policy
Last updated: April 1, 2026
Pretense takes security seriously. As a product built specifically to protect code from unauthorized exposure, we hold ourselves to a high standard. We welcome responsible disclosure of vulnerabilities in our software and infrastructure.
Scope
The following are in scope for security research:
- The Pretense CLI proxy server (localhost:9339)
- The pretense.ai marketing site and dashboard
- The @pretense/* npm packages published to the npm registry
- The Pretense CLI proxy server and all @pretense/* npm packages
The following are out of scope:
- Denial of service (DoS/DDoS) attacks
- Social engineering of Pretense employees
- Physical attacks against infrastructure
- Vulnerabilities in third-party software not directly integrated by Pretense
- Issues requiring physical access to a user's machine
Responsible Disclosure
If you discover a security vulnerability, please report it to us privately before public disclosure. We ask that you:
- Do not exploit the vulnerability beyond what is necessary to confirm its existence
- Do not access, modify, or delete data belonging to other users
- Do not perform actions that could disrupt service availability
- Provide sufficient detail for us to reproduce and fix the issue
- Allow us a reasonable time to address the vulnerability before public disclosure
We commit to working with security researchers in good faith and will not pursue legal action against researchers who follow these guidelines.
How to Report
Primary contact
security@pretense.aiEncrypted submission
security@pretense.ai (PGP key below)PGP Key
-----BEGIN PGP PUBLIC KEY BLOCK----- [PGP key will be published here. Contact security@pretense.ai to obtain the current key fingerprint while this page is being set up. Key ID: pending] -----END PGP PUBLIC KEY BLOCK-----
Fingerprint: pending. Key publication in progress
Response Time
| Severity | Initial Response | Target Fix Time |
|---|---|---|
| Critical (CVSS ≥ 9.0) | 24 hours | 7 days |
| High (CVSS 7.0–8.9) | 48 hours | 30 days |
| Medium (CVSS 4.0–6.9) | 72 hours | 90 days |
| Low (CVSS < 4.0) | 72 hours | Next release |
Bug Bounty Program
Current Status: Attribution Only
Pretense is pre-seed stage. We do not currently offer monetary bounties. However, we offer the following for valid security reports:
- Public credit in our security acknowledgments (your choice of name/handle)
- Private acknowledgment if you prefer anonymity
- Early access to Pro features for the duration of beta
- A signed letter of acknowledgment for your security portfolio
A monetary bounty program is planned for v0.3 as Pretense reaches revenue milestones.
Security Acknowledgments
No vulnerabilities have been reported yet. We look forward to working with the security community as our user base grows.
CVE Policy
For vulnerabilities with significant user impact, Pretense will file a CVE through MITRE and publish a public security advisory. We will coordinate disclosure timing with the reporting researcher.
Contact
Security reports: security@pretense.ai
General inquiries: jimmy@pretense.ai
Pretense Inc. · San Francisco, CA