Do not open a public GitHub issue for security vulnerabilities.

Email: [email protected]

You will receive acknowledgement within 48 hours and a resolution timeline within 7 days.

• All state-changing functions require explicit require_auth() from the relevant party
• Employer cannot withdraw employee funds; employee cannot access unearned funds
• Claimable amount is always capped at deposit - withdrawn — no over-payment possible
• Cancel pays employee their earned share first, then refunds employer the remainder
• Paused time is excluded from accrual — last_withdraw_time is reset on resume
• All token amounts use i128 — no floating-point arithmetic
• Stop time is validated to be in the future at stream creation