Email security@gatefare.io. Please include:

• The version of @gatefare/client (or git commit) you found it in
• A short description, repro steps, and the impact
• (Optional) a suggested fix

We respond within 72 hours and aim to release a patched version within 7 days for high-severity issues. We will credit you in the CHANGELOG unless you ask us not to.

GitHub Issues is public. If a vulnerability is exploitable, posting it publicly hands a free attack to anyone watching the repo before we ship a fix. Email instead.

• The SDK itself (@gatefare/client published to npm)
• The EIP-3009 signing flow in src/payment.ts
• The spend-cap enforcement in src/spend-cap.ts — specifically any path where a call could exceed the configured cap, or sign an authorization before the cap check runs
• The price-divergence guard in callApi — any path where the SDK would sign for a larger amount than the catalog quoted
• The HTTP client to gatefare.io
• Any leakage of the configured wallet private key via thrown errors, log output, or returned objects

• Vulnerabilities in gatefare.io itself — still email security@gatefare.io, but they go to a different triage queue
• Issues in upstream dependencies (viem) — please report directly to that project
• "The SDK lets a caller spend their own wallet" — that is the design. Configure spendCaps and fund the wallet with only what you intend to spend.

Once a fix is released:

1. We publish a patched version on npm.
2. We open a GitHub Security Advisory describing the issue and which versions are affected.
3. The CHANGELOG gets a ### Security line for that version.

We will not request CVEs unless the issue is severe and exploitable in default configurations.