hscli handles Help Scout OAuth credentials, so security reports are taken seriously.
Please do not open public GitHub issues for security vulnerabilities.
Report privately through GitHub's private vulnerability reporting (the repository's Security tab → Report a vulnerability). Include:
- A description of the issue and its impact
- Steps to reproduce
- The affected version (
hscli version)
You will receive an acknowledgement within 72 hours and a status update within 7 days. Once a fix is released, reporters who wish to be named will be credited.
hscli is pre-1.0. Only the latest released version receives security fixes.
- OAuth tokens are stored only in the operating system keychain (macOS Keychain, Windows Credential Manager, or libsecret on Linux). hscli refuses to write credentials to disk in plaintext; if no keychain is available, authentication fails rather than falling back to insecure storage.
- The
hscli apiescape hatch only sends your token toapi.helpscout.net. Requests that resolve to any other host are refused. - App secrets passed via
--app-secretmay be recorded in your shell history. Prefer theHSCLI_APP_SECRETenvironment variable or the interactivehscli auth setupwizard.