Security bugs may be privately reported to security@bulwark.security.

Due to Bulwark's design as a security engine that hosts detections as separate, customizable, composable units, security reports should not be sent for individual detections or specific combinations of detections. Instead, file issues against the detection repository in question.

Reports related to the security of the engine itself are welcomed at the contact address above. There is currently no active bug bounty program, only a vulnerability disclosure process.