If you discover a security vulnerability in Router402, please report it responsibly.

Do not open a public GitHub issue for security vulnerabilities.

Instead, please email us at security@itublockchain.com with:

• A description of the vulnerability
• Steps to reproduce the issue
• Any relevant logs or screenshots
• Your suggested fix (if any)

We will acknowledge receipt within 48 hours and aim to provide a fix or mitigation within 7 days depending on severity.

This policy applies to:

• The Router402 gateway server (apps/server)
• The Router402 SDK (packages/sdk)
• The Router402 web application (apps/web)
• The MCP server (apps/mcp)
• The facilitator service (apps/facilitator)

We kindly ask that you:

• Give us reasonable time to address the issue before public disclosure
• Avoid accessing or modifying other users' data
• Act in good faith to avoid disruption to our services

We appreciate your help in keeping Router402 and its users safe.