This project is currently pre-1.0. Security fixes are handled on a best-effort basis for:
| Version | Supported |
|---|---|
latest main |
Yes |
| latest tagged release | Yes |
| older releases | No |
Please do not open public GitHub issues for security vulnerabilities.
Examples:
- authentication or authorization bypass
- signature verification bypass
- webhook forgery or replay acceptance
- secret exposure
- payment amount tampering
- remote code execution
Use one of these paths:
- Prefer GitHub's private vulnerability reporting / security advisory flow if it is enabled for this repository.
- If that is not available, contact the maintainer privately through the contact options on the maintainer's GitHub profile.
When reporting, include:
- affected endpoint, flow, or component
- clear reproduction steps or a proof of concept
- impact assessment
- environment details and commit SHA if relevant
I will try to acknowledge valid reports within 7 days and coordinate a fix before public disclosure when possible.