Report security issues privately to the maintainers. Do not disclose suspected vulnerabilities in public issues before maintainers have acknowledged and triaged the report.

Never include live merchant credentials, provider keys, license signing keys, customer data, or production webhook secrets in reports. Use redacted values or replace-with-* placeholders.