Report suspected vulnerabilities privately to security@makepay.io.

• Do not put MakePay keys in GameMaker client code.
• Keep product amounts and entitlements in the relay catalog.
• Treat player IDs from the game as untrusted unless your own auth system signs or verifies them.
• Verify every MakePay webhook with X-MakePay-Signature.
• Replace the in-memory entitlement store before production use.