Please do not open a public GitHub issue for security vulnerabilities.

Report vulnerabilities by emailing security@stellarpay.dev with:

1. Description of the vulnerability
2. Steps to reproduce
3. Potential impact
4. Suggested fix (optional)

You will receive an acknowledgment within 48 hours and a detailed response within 7 days.

• We follow responsible disclosure.
• We will coordinate a fix and public disclosure timeline with you.
• We credit reporters in the release notes (unless you prefer anonymity).

• Never commit .env files or private keys to version control.
• Rotate your JWT_SECRET and Stellar secret keys regularly.
• Use Stellar testnet for development; never use mainnet keys in dev environments.
• Keep dependencies up to date — run npm audit regularly.
• Enable HTTPS in production.