If you discover a security vulnerability in PayFlow, please report it responsibly:

Use GitHub Security Advisories to report vulnerabilities privately:

1. Go to the "Security" tab in this repository
2. Click "Report a vulnerability"
3. Fill out the advisory form

Email: [email protected]

Subject: [PayFlow Security] Brief description

• Description of the vulnerability
• Steps to reproduce
• Potential impact assessment
• Suggested mitigations (if any)

• Acknowledgment: Within 48 hours
• Fix timeline: Within 14 days for critical issues (depending on complexity)
• Credit: We will credit researchers in release notes unless you prefer anonymity

⚠️ PayFlow is currently deployed on Testnet only and has not been formally audited.

Do not use on Mainnet with real funds until an independent security audit is completed.

For detailed security information, see docs/SECURITY.md.

In scope for vulnerability reports:

• Smart contract logic vulnerabilities
• Authorization bypass issues
• Fund loss or theft scenarios
• Denial of service attacks
• Integer overflow/underflow issues

Out of scope:

• Issues in third-party dependencies (report to upstream)
• Social engineering attacks
• Physical security issues

Thank you for helping keep PayFlow secure!