If you believe you have found a security vulnerability in the Smile Identity API or in any of the OpenAPI specifications published in this repository, please report it privately rather than opening a public issue.

Email: security@smileidentity.com

Please include:

• A description of the issue and its potential impact.
• Steps to reproduce, or a proof-of-concept if available.
• Any relevant request/response samples (with sensitive data redacted).
• Your contact details, so we can follow up.

We aim to acknowledge reports within 3 business days and to provide a substantive response within 10 business days. Please give us a reasonable opportunity to address the issue before any public disclosure.

This repository contains API specifications only — no production code or credentials. Reports relating to:

• Inaccuracies in the OpenAPI specifications themselves (e.g. incorrect schemas or descriptions),
• Vulnerabilities in the deployed Smile Identity API endpoints,
• Issues affecting the integrity of this repository (e.g. supply-chain concerns in CI workflows),

are all in scope and welcome.

• Vulnerabilities in third-party services we link to (please report those to the relevant vendor).
• Findings that require physical access, social engineering, or DoS testing against production endpoints.