The main branch receives security fixes until versioned releases begin.

Email security reports to info@makepay.io.

Please include affected APIs, reproduction steps, expected impact, and any request or response examples with secrets removed.

• Do not put MakePay partner key secrets or webhook secrets in Flutter apps.
• Create payment links on a trusted backend.
• Verify webhooks against the exact raw request body.
• Treat checkout return parameters as untrusted hints and reconcile payment state server-side.