If you discover a security vulnerability, please do NOT open a public issue.

Instead:

• Contact maintainers privately
• Provide a detailed report including:
  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Suggested fix (if available)

We aim to acknowledge reports within 48 hours and provide updates as progress is made.

This policy applies to:

• Smart contracts
• Backend services
• APIs
• Infrastructure configurations

• Do not publicly disclose the vulnerability until it has been resolved
• Give maintainers reasonable time to fix the issue

• Never commit secrets
• Use environment variables
• Validate all external inputs
• Follow secure coding practices