Please do not open a public GitHub issue for security vulnerabilities.

Instead, send a description of the vulnerability to the maintainers privately:

1. Open a GitHub Security Advisory (preferred).
2. Or email the maintainers directly — check the go.mod module path for contact details.

Please include:

• A description of the vulnerability and its potential impact
• Steps to reproduce or proof-of-concept code
• Any suggested mitigations

You can expect an acknowledgement within 48 hours and a resolution timeline within 7 days for critical issues.

• The REST API has no built-in authentication. Deploy behind a reverse proxy or API gateway that handles auth if exposing outside a trusted network.
• TLS certificates for the gRPC frontend must be generated and managed by the operator. See env.example and README.md for guidance.
• The PostgreSQL transaction logger uses credentials stored in environment variables — never hard-code secrets in source code or commit .env files.