If you discover a security vulnerability in the Qredex Java SDK, please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities.
Email: security@qredex.com
Include:
- Description of the vulnerability
- Steps to reproduce
- Impact assessment
- Suggested fix (if any)
We will acknowledge receipt within 48 hours and provide a timeline for resolution.
| Version | Supported |
|---|---|
| 0.1.x | ✅ Current |
This policy covers the com.qredex:qredex-java Java artifact and its source code in this repository.
It does not cover:
- The Qredex API itself (report API vulnerabilities to security@qredex.com separately)
- Third-party dependencies (report to their maintainers directly)
The SDK is designed with these security principles:
- Secrets are never logged. Client IDs, client secrets, and raw tokens are always redacted.
- Integrations API only. No merchant or internal admin endpoints are exposed.
- Token caching is in-memory only. Tokens are never written to disk.
- Writes are not retried automatically. Only auth token fetches are retried with backoff.