Accrue treats billing data paths, webhook verification, and release automation as security-sensitive surfaces. Report suspected vulnerabilities privately so we can validate and coordinate a fix before disclosure.
| Version | Supported |
|---|---|
| 1.x | Yes |
| main | Yes |
Open a private GitHub security advisory on the repository, or contact the
maintainer through the GitHub identity szTheory if advisory access is not
available. Include:
- a description of the issue
- affected package and version
- reproduction steps or proof-of-concept details
- impact assessment, if known
Do not open a public GitHub issue for unpatched vulnerabilities.
We will acknowledge receipt, triage severity, and coordinate remediation and disclosure timing through the private report.
Webhook secrets, Hex API keys, and Release Please tokens must never be committed to the repository or printed in CI logs.
Keep Stripe API keys, signing secrets, and release credentials in runtime environment variables or the CI secret store. Sanitize examples, screenshots, and copied terminal output before sharing them in issues, pull requests, docs, or chat. Do not share customer data or PII in public reports, retained browser artifacts, or support requests.