Security issues should be reported privately.

Please do not open public issues for suspected vulnerabilities, exposed credentials, authentication problems, data leaks, unsafe ERP access, or deployment-sensitive configuration.

Use GitHub private vulnerability reporting when available, or contact the repository maintainers through the organization owner.

Include:

• Affected repository and component.
• Steps to reproduce or enough detail to understand the risk.
• Potential impact.
• Any known workaround.

Security-sensitive areas include:

• ERPNext credentials and database access.
• Mobile API authentication and authorization.
• Scale, printer, and hardware integration endpoints.
• Telegram bot credentials and message workflows.
• Archive storage and operational documents.
• CI secrets, deployment keys, and environment files.

We aim to acknowledge serious reports quickly and coordinate fixes before public disclosure.