Do not open a public GitHub issue for security vulnerabilities.

Report security issues by emailing: tiago.sasaki@confenge.com.br

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact assessment
• Your suggested fix (if any)

We will acknowledge receipt within 48 hours and aim to release a fix within 7 days for critical issues.

In scope:

• smartlic.tech and all subdomains
• SmartLic API endpoints
• Authentication and authorization bypasses
• Data exposure vulnerabilities

Out of scope:

• Denial of service attacks
• Social engineering
• Physical security
• Third-party services (Supabase, Railway, Stripe)