# Security

Report vulnerabilities privately through [GitHub Security Advisories](https://github.com/flashnetxyz/wdk-protocol-swidge-orchestra/security/advisories/new) for this repository.

Do not open a public issue for a vulnerability. Include the affected version, reproduction steps, impact, and any relevant logs with secrets removed.

For package support, reach out to info@flashnet.xyz.

This package never stores wallet keys. WDK owns key material and signing. Host applications are responsible for durable persistence of swap state and for protecting backend API keys, scoped client keys, read tokens, and SSE tokens.