| Version | Supported |
|---|---|
| latest | ✅ |
Please do not report security vulnerabilities through public GitHub issues.
Email security@afripay.io with:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested mitigations
You will receive a response within 48 hours. We aim to release a fix within 7 days for critical issues.
In scope:
- Authentication bypass
- Payment flow manipulation
- Webhook signature bypass
- Data exposure (user PII, wallet addresses)
- Injection vulnerabilities (SQL, XSS, CSRF)
Out of scope:
- Denial of service
- Social engineering
- Issues in third-party services (Privy, MoonPay, Yellow Card)
We follow responsible disclosure. Once a fix is deployed, we will publish a security advisory crediting the reporter (unless they prefer to remain anonymous).