Please DO NOT file a public GitHub issue for security vulnerabilities.

Instead, please report them via:

1. Email: security@tempayout.io (if available)
2. GitHub Private Vulnerability Reporting: Use the "Report a vulnerability" tab in this repository's Security tab

When reporting, please include:

• Type of vulnerability (e.g., data exposure, injection, authentication bypass)
• Full paths of source file(s) related to the vulnerability
• Location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact assessment: how might this vulnerability be exploited?

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 7 days
• Fix Timeline: Depends on severity (critical: 7 days, high: 30 days, medium: 90 days, low: next release)

• Never store private keys in config files
• Never log private keys or seed phrases
• Use environment variables or hardware wallets for production
• Rotate keys regularly

# Good
TEMPO_PRIVATE_KEY=0x123...abc tempayout send --input payouts.csv

# Bad - Never do this
tempayout send --input payouts.csv --private-key 0x123...abc

# Use a dedicated sender wallet (not main treasury)
# Use separate configs for dev/staging/production
# Never use --yes flag in CI without dry-run verification first

• Use hardware wallet or signing service for key management
• Run tempayout doctor to verify environment
• Test with small amounts first (1/100th of actual payout)
• Review --dry-run output before confirming
• Export success.csv for accounting records
• Monitor failed.csv for data quality issues
• Keep backup of successful transaction hashes

• Always use HTTPS for RPC endpoints
• Verify RPC URL matches expected chain (chainId 22040 for Tempo mainnet)
• Be aware of RPC provider rate limits

• CSV files may contain sensitive recipient information
• Run journals contain transaction details
• Clear sensitive data before sharing logs

• TemPayout uses transferWithMemo(address to, uint256 amount, bytes32 memo)
• Verify contract address matches expected TIP-20 token
• Transaction hash serves as payment proof on-chain

If you suspect a security incident:

1. Immediately revoke compromised keys
2. Do not modify evidence (preserve logs)
3. Contact the team via security@tempayout.io
4. Document what happened and when
5. Coordinate disclosure with team

Security updates are released as patch versions (0.1.1, 0.1.2, etc.) and announced via:

• GitHub Security Advisories
• Release notes
• npm security alerts

We recommend watching the repository for updates:

# Watch releases on GitHub
# Or use npm audit
npm audit

Security researchers who report issues help keep TemPayout safe for everyone. Thank you!