If you believe you have found a security vulnerability in this SDK or in the SharpAPI service, please report it privately to:

hello@sharpapi.io (subject line: [SECURITY] <short summary>)

Please do not open a public GitHub issue for security reports.

We will acknowledge receipt within 72 hours and aim to provide a status update within 7 days. If the issue is confirmed, we will work with you on disclosure timing.

In scope:

• This SDK package and its published artifact on npm
• The SharpAPI HTTP and WebSocket APIs (api.sharpapi.io, ws.sharpapi.io)

Out of scope:

• Findings in third-party dependencies (please report those upstream)
• Denial of service via brute-force or volumetric attacks against the API
• Issues that require physical access to a user's device