Please do not open public GitHub issues for security vulnerabilities.
Instead:
- Gather the affected area, impact, and reproduction details.
- Contact the maintainers privately or use GitHub private vulnerability reporting if it is enabled for this repository.
- Give the maintainers time to validate and coordinate a fix before public disclosure.
Security reports are especially relevant for:
- wallet connection flows
- transaction signing and submission
- auth and session handling
- environment variable exposure
- client-side handling of privileged or gated resources
- Never commit live keys, API secrets, or production endpoints.
- Use
.env.examplefor safe placeholders. - Redact screenshots and logs before sharing them publicly.