Please do not open public GitHub issues for security vulnerabilities.

Email support@requesttap.ai with:

• A description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested fixes (optional)

The following components are in scope:

• Gateway (packages/gateway) — middleware pipeline, payment flow, proxy
• SDK (packages/sdk) — agent client, payment handling
• Dashboard (dashboard) — admin UI, API proxy
• Contracts (contracts/) — SKALE BITE Solidity

• Acknowledgment: within 48 hours
• Initial assessment: within 5 business days
• Critical issues: aim to resolve within 7 days

• Payment bypass or manipulation
• Authentication/authorization bypass (admin API, API key auth)
• SSRF or request smuggling
• Injection vulnerabilities (SQL, command, header)
• Private key or secret exposure
• Replay protection bypass
• Mandate enforcement bypass (spend caps, allowlists, expiry)
• Cross-site scripting (XSS) in the dashboard

We appreciate responsible disclosure and will credit reporters in the changelog (unless you prefer to remain anonymous).