As stated in the README. This software's purpose is to touch your company's money. It can read your transactions, add users to your account, and create expense cards. This is inherently risky and sensitive. Additionally this library is a point-to-point tool and has no access control of any kind. Moreover this is open source and freely available software. It is therefore impossible for the authors to make assurances about your security without investigating your unique environment. It is incumbent upon you, dear developer, to make well considered and careful judgments about exactly if, and how, you implement this software. While standing firmly on our disclaimer, we wish you Godspeed.
Universal Recommendations
- Don't take chances with user access.
- Don't needlessly expose login interfaces and tokens.
- Check your statements and logs regularly.
- Investigate unusual activity. Prompt action may prevent a minor incident from turning in to a serious one!
- Use secure channels whenever possible.
BE SURE YOU'RE SECURE
If there are any vulnerabilities in this library, don't hesitate to report them.
-
Use any of the private contact addresses.
-
Describe the vulnerability.
If you have a fix, that is most welcome -- please attach or summarize it in your message!
-
We will evaluate the vulnerability and, if necessary, release a fix or mitigating steps to address it. We will contact you to let you know the outcome, and will credit you in the report.
Please do not disclose the vulnerability publicly until a fix is released!
-
Once we have either a) published a fix, or b) declined to address the vulnerability for whatever reason, you are free to publicly disclose it.