Do not report vulnerabilities with credentials, access tokens, account numbers, order payloads, or other sensitive financial data in a public GitHub issue.
Report security-sensitive problems by opening a private security advisory on GitHub:
https://github.com/nbsp1221/tossinvest-openapi/security/advisories/new
If the advisory flow is unavailable, open a public issue with only a minimal description and state that details can be shared privately. Do not include secrets or account-specific data.
Security reports are in scope when they affect this SDK, its generated types, package distribution, examples, documentation that can cause unsafe credential handling, or the release workflow.
Problems in Toss Securities Open API itself should be reported to Toss Securities through their official channels.
Only the latest published TypeScript package version receives security fixes.