Security fixes are provided for the latest published minor release.
Use GitHub's private vulnerability reporting for this repository. Do not open a public issue for a suspected vulnerability.
Do not include live tokens, passwords, client secrets, internal URLs, tenant names, customer identifiers, or unredacted ERP responses. Use synthetic examples and describe how maintainers can reproduce the issue locally.
We will acknowledge a complete report, assess severity, coordinate a fix and disclosure, and credit the reporter when requested.
- Use least-privilege Acumatica accounts.
- Register a public OAuth client with Authorization Code + PKCE; never distribute a client secret.
- Keep the base URL and OAuth endpoints on the same HTTPS origin.
- Protect the workstation with full-disk encryption and an individual OS account.
- Treat exports as company data and store/share them according to company policy.
- Do not run unofficial binaries or installers. Verify checksums and release provenance.