# Security Policy

This repository adheres to the [PayPal Vulnerability Reporting Policy](https://hackerone.com/paypal).

## Reporting a Vulnerability

If you think you have found a vulnerability in this repository, please report it to us through coordinated disclosure.

**Please do not report security vulnerabilities through public issues, discussions, or pull requests.**

Instead, report it using one of the following ways:

- Email the PayPal Security Team at [security@paypal.com](mailto:security@paypal.com)
- Submit through the [PayPal Bug Bounty Program](https://hackerone.com/paypal) on HackerOne
- Report a [vulnerability](https://github.com/braintree/credit-card-type/security/advisories/new) directly via private vulnerability reporting on GitHub

Please include the following in your report:

- The type of issue and affected version(s)
- Step-by-step instructions to reproduce the issue
- Impact of the issue and how an attacker might exploit it

## Supported Security Updates

Only the latest release receives security patches and new versions in the case of a security issue.

## Disclosure Policy

We are committed to working with security researchers in good faith. To support responsible disclosure, our team will:

- Acknowledge your report in a timely manner
- Keep you informed of our progress toward a fix
- Notify you before any public disclosure

We ask that you:

- Do not publicly disclose the issue before it has been resolved
- Avoid accessing, modifying, or deleting data that does not belong to you
- Make a good faith effort to avoid disruption to production systems

We appreciate responsible disclosure and your efforts to keep Braintree SDK users safe.
