We release security updates for the following versions:
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1.0 | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them responsibly by emailing: security@acoriss.com
Include the following information:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Suggested fix (if any)
- Acknowledgment: We'll acknowledge receipt within 48 hours
- Assessment: We'll assess the vulnerability and confirm if it's valid
- Fix Timeline: We'll provide an estimated timeline for a fix
- Update: We'll keep you informed of progress
- Disclosure: We'll coordinate disclosure timing with you
When using this SDK:
-
Never commit API keys or secrets to version control
-
Use environment variables for sensitive configuration:
import os client = PaymentGatewayClient( api_key=os.getenv('ACORISS_API_KEY'), api_secret=os.getenv('ACORISS_API_SECRET') )
-
Validate webhook signatures on your callback endpoints
-
Use HTTPS for all callback and redirect URLs
-
Keep the SDK updated to the latest version
-
Use secrets management in production (e.g., AWS Secrets Manager, HashiCorp Vault)
-
Review permissions - only grant necessary access
- HMAC-SHA256 Signatures: All API requests are signed using HMAC-SHA256 to prevent tampering
- HTTPS Required: Always use HTTPS for production environments
- No Sensitive Data in Logs: The SDK does not log sensitive information
Security updates will be released as patch versions (e.g., 0.1.3) and documented in:
- CHANGELOG.md
- GitHub Security Advisories
- Release notes
We currently do not offer a bug bounty program, but we greatly appreciate responsible disclosure of security issues.
Thank you for helping keep Acoriss Payment Gateway SDK secure!