Skip to content

Security: Sage100/acumatica-bridge

SECURITY.md

Security Policy

Supported versions

Security fixes are provided for the latest published minor release.

Reporting a vulnerability

Use GitHub's private vulnerability reporting for this repository. Do not open a public issue for a suspected vulnerability.

Do not include live tokens, passwords, client secrets, internal URLs, tenant names, customer identifiers, or unredacted ERP responses. Use synthetic examples and describe how maintainers can reproduce the issue locally.

We will acknowledge a complete report, assess severity, coordinate a fix and disclosure, and credit the reporter when requested.

Operational security

  • Use least-privilege Acumatica accounts.
  • Register a public OAuth client with Authorization Code + PKCE; never distribute a client secret.
  • Keep the base URL and OAuth endpoints on the same HTTPS origin.
  • Protect the workstation with full-disk encryption and an individual OS account.
  • Treat exports as company data and store/share them according to company policy.
  • Do not run unofficial binaries or installers. Verify checksums and release provenance.

There aren't any published security advisories