Vulnerability Disclosure Policy

Tradier is a technology-focused, cloud-based financial services platform and brokerage API company headquartered in Charlotte, North Carolina. As a member of FINRA and SIPC, Tradier provides a comprehensive suite of REST-based APIs that power trading applications, platforms, and tools for developers, fintech companies, registered investment advisors, and individual traders.

Our platform enables secure access to trading capabilities for stocks, options, ETFs, and futures, alongside real-time and historical market data through both request/response and streaming interfaces. Tradier serves as an innovation springboard for the fintech community, allowing businesses and developers to integrate brokerage services, execute trades, and access market data without building costly infrastructure.

The security of our platform, our users' accounts, and their financial assets is our highest priority. We welcome collaboration with the security research community to identify and address vulnerabilities in our systems.

This Vulnerability Disclosure Program (VDP) provides security researchers with a clear framework for responsibly reporting security vulnerabilities discovered in Tradier's systems. We appreciate the efforts of the security community and are committed to working with researchers to protect our users and maintain the integrity of our platform.

Thank you for helping us keep Tradier and our users safe!

The following targets are in scope for this program:

Web Applications:
This covers all frontend and backend components of Tradier's web applications, including user interfaces, APIs, and authentication systems. Note: Third-party services integrated into our web applications are OUT OF SCOPE unless the vulnerability directly impacts Tradier's systems.

• Tradier Website - tradier.com
• Tradier Web - web.tradier.com (including p-be-web.tradier.com, etc.)
• Tradier Authentication - auth.tradier.com (including p-be-auth.tradier.com, etc.)
• Tradier Developer Portal - developer.tradier.com (including p-be-developer.tradier.com, etc.)

Desktop/Mobile Applications:

• Tradier Mobile (iOS)
• Tradier Mobile (Android)
• Tradier Pro (Windows/Mac)

API:

• Tradier API - api.tradier.com
• Tradier WebSocket - wss://ws.tradier.com
• Tradier Streaming - stream.tradier.com

To ensure the safety and integrity of our production systems and protect our users, researchers must adhere to the following restrictions:

Financial Activities:

• Do not make actual financial transactions, execute real trades, or place orders of any kind
• Do not attempt to move, withdraw, or transfer funds or assets

Authentication & Credentials:

• Test only with accounts you own or have explicit written permission to use
• Do not access, interact with, or share credentials for accounts belonging to other users

Leaked Credentials:

• Submissions related to leaked or exposed credentials (e.g., dark web forums, credential dumps) will be reviewed on a case-by-case basis
• The use of any leaked credentials during testing is strictly prohibited and may result in disqualification from the program

Automated Testing:

• Automated testing of any kind is strictly prohibited (scanners, crawlers, fuzzing tools, scripts)
• All testing must be manual and conducted with care
• Do not spam API endpoints, contact forms, or submission forms

Data Protection:

• If you discover PII, financial data, or sensitive information: STOP immediately
• Do not save, store, copy, transfer, or retain any sensitive data
• Limit access to the absolute minimum needed to demonstrate the vulnerability
• Report the finding immediately

Strictly Prohibited:

• Social engineering (phishing, vishing, smishing) or manipulation of employees/users
• Denial of Service (DoS/DDoS) attacks or resource-intensive testing
• Physical attacks against Tradier offices, data centers, or employees
• Destructive testing that modifies, destroys, or corrupts data
• Testing that degrades service availability or impacts other users
• Public disclosure of vulnerabilities without prior written authorization

Market Hours:

• Exercise extreme caution during U.S. market hours (Mon-Fri, 8:00 AM - 8:00 PM ET)
• All testing must be lightweight and non-disruptive at all times

The following issues are considered out of scope for this program and should not be reported:

• Infrastructure configuration issues - SPF/DMARC/DKIM, missing DNS records, security headers, or SSL/TLS configuration without proof of exploitability
• Low-impact findings - Username enumeration, version disclosure, missing rate limiting, clickjacking, logout CSRF, or other issues without demonstrable security impact
• Third-party systems - Vulnerabilities in services, platforms, or partner organizations not owned or controlled by Tradier
• User-dependent issues - Attacks requiring physical access, compromised devices, outdated software, or MITM positioning
• Automated scanner output - We do not accept reports generated by automated tools without additional analysis and proof of exploitability
• Theoretical vulnerabilities - Best practice recommendations or findings without demonstrated real-world impact
• Known or duplicate issues - Previously reported vulnerabilities, issues under remediation, or P5 severity per Bugcrowd's VRT

When conducting security research on Tradier systems, please keep the following in mind:

Reporting Requirements

• Submit detailed reports with clear, reproducible steps
• Include proof of concept demonstrating the vulnerability
• Consider both the attack scenario/exploitability AND the security impact
• One vulnerability per report (submit separate reports for distinct issues)
• Use Bugcrowd's Vulnerability Rating Taxonomy (VRT) for categorization

Eligibility Requirements

• Researchers must be at least 18 years of age (or age of majority in your jurisdiction)
• You must not be a current or former employee of Tradier or a contributor to affected code
• You must not be a resident of a country under U.S. sanctions or export restrictions
• You must comply with all applicable laws and regulations

Disclosure and Communication

• Report vulnerabilities as soon as possible after discovery (ideally within 24 hours)
• Do not publicly disclose vulnerabilities before receiving explicit written permission from Tradier
• Respond promptly to any follow-up requests from the Tradier Security Team
• Tradier maintains a strict non-disclosure policy - vulnerability details should NOT be shared publicly without authorization

Duplicate and Valid Reports

• Only the first report of a unique vulnerability will be eligible for recognition
• Duplicate reports will be closed and will not be eligible for rewards
• Reports must demonstrate actual exploitability, not theoretical vulnerabilities
• Vulnerabilities in shared code components will be counted as a single issue

We are particularly interested in high-quality reports related to the following vulnerability categories:

• Critical issues - Authentication/authorization flaws, RCE, SQL injection, SSRF
• Account and financial security - Account takeover, fraud prevention, data exposure
• API security - OAuth, API tokens, endpoint authentication, WebSocket/streaming
• Web vulnerabilities - XSS, CSRF, file uploads, cryptographic issues
• Mobile security - Authentication, data storage, deep links

Tradier will not pursue legal action against security researchers who conduct research in good faith and in accordance with this policy. Good-faith security research conducted under this policy is considered authorized activity.

We will not pursue legal action against researchers who:

• Make a good-faith effort to comply with this policy during their research
• Report vulnerabilities promptly and do not exploit them beyond what is necessary to demonstrate the issue
• Avoid privacy violations, destruction of data, and disruption of services
• Do not access, modify, or retain data belonging to other users
• Maintain confidentiality of vulnerability details until Tradier has had reasonable time to remediate the issue

Please use the form below to submit your vulnerability report. Do not attempt to contact Tradier employees directly or through other channels.