At AbacatePay, security is a top priority. This document describes how to report security vulnerabilities related to the AbacatePay CLI, as well as best practices for handling credentials and sensitive data when using the tool.
The AbacatePay CLI interacts directly with user environments, local servers, and AbacatePay APIs. Responsible disclosure and secure usage are essential to keep the ecosystem safe.
If you discover a security vulnerability in the AbacatePay CLI, please report it privately.
📧 Email: security@abacatepay.com
🔐 Alternative: Use GitHub Security Advisories in the official repository.
When reporting, include as much detail as possible:
- Clear description of the vulnerability
- Steps to reproduce
- Affected versions (if known)
- Potential impact (e.g. token exposure, RCE, privilege escalation)
- Suggested mitigation or fix (optional, but appreciated)
Do not open public issues for security vulnerabilities.
- Acknowledgement of your report within 48 business hours
- Triage and severity assessment
- Fix development based on the criticality of the issue
- Coordinated and responsible disclosure once a fix is available
We aim to act quickly and transparently while protecting users.
We ask that you do not publicly disclose vulnerabilities before AbacatePay has had the opportunity to investigate and release a fix.
We strongly support responsible disclosure and value collaboration with the security community.
The AbacatePay CLI uses OAuth2 Device Flow for authentication.
Authentication tokens are stored securely using the operating system’s native keyring:
- macOS: Keychain
- Linux: gnome-keyring or kwallet
- Windows: Credential Manager
Tokens are never stored in plain text files by default.
- Never share screenshots or logs containing tokens
- Avoid running the CLI on shared or untrusted machines
- Always log out (
abacatepay logout) on compromised environments - Keep your system keyring properly configured and locked
The CLI generates logs in `~/.abacatepay/logs/`.
Logs may include:
- Request metadata
- Event identifiers
- Timing and status information
- Tokens and secrets are not intentionally logged
- Webhook payloads may contain sensitive business data
- Treat log files as sensitive information
Do not commit logs to repositories or share them publicly.
When using webhook forwarding:
- Ensure your local server is trusted
- Avoid exposing forwarded endpoints to the public internet
- Use firewalls or local-only bindings when possible
- Validate incoming webhook payloads on your server
The CLI acts as a transport layer — your application is responsible for payload validation.
We recommend installing the CLI using official channels only:
go install github.com/AbacatePay/abacatepay-cli@latest- Official Homebrew tap (when available)
Avoid running binaries from unknown sources or forks.
This security policy applies to:
- The AbacatePay CLI source code
- Distributed binaries
- Authentication, token handling, and webhook forwarding logic
For API-level or platform vulnerabilities, refer to the main AbacatePay security policies.
We appreciate and recognize all responsible disclosures that help improve the security of the AbacatePay ecosystem.
Your contributions help keep our users and developers safe.
- AbacatePay Documentation: https://docs.abacatepay.com
- CLI Documentation: https://docs.abacatepay.com/pages/cli
- Main Security Contact: security@abacatepay.com