We take the security of our users and their data seriously. Thank you for responsibly disclosing any vulnerabilities you may find.
Please report security issues through GitHub's private advisory workflow:
- Open a private report: https://github.com/dodopayments/billingsdk/security/advisories/new
Do not create a public issue for security reports. Using the private advisory keeps details confidential until a fix is available.
Provide enough information to help us reproduce and triage the issue:
- Affected version or commit SHA
- Environment details (OS, Node.js/PNPM/NPM versions, browser if applicable)
- Minimal reproducible steps or proof-of-concept
- Impact assessment and potential severity
- Any suggested mitigations
You may optionally include your preferred contact and whether you would like public credit after remediation.
We aim to:
- Acknowledge your report within 48 hours
- Provide a triage update within 5 business days
- Work on a fix and coordinated disclosure as quickly as possible, typically within 90 days depending on severity and complexity
We will keep you informed of progress and proposed disclosure timelines via the advisory thread.
Once a fix or mitigation is available, we will:
- Publish an advisory with CVSS-based severity
- Release patched versions and upgrade guidance
- Credit reporters who wish to be acknowledged
If you discover that details have become public before a fix is available, please notify us immediately via the advisory so we can expedite mitigation.
We generally provide security fixes for:
- The latest stable release
- The current
mainbranch
When feasible, we may backport critical fixes to recent minor versions, but we encourage all users to stay up to date.
This policy covers vulnerabilities in this repository's source code and release artifacts. Vulnerabilities in third-party dependencies should be reported upstream; however, if a dependency issue critically impacts this project, you may still open an advisory here and we will coordinate as needed.
We will not pursue or support legal action against researchers who:
- Make a good-faith effort to comply with this policy
- Avoid privacy violations, data destruction, and service degradation
- Do not access or modify data without authorization
- Give us reasonable time to remediate before public disclosure
Thank you for helping keep the ecosystem secure.