Onsight moves real money (USDC escrow on Base) and authenticates owner actions with wallet signatures. If you find a vulnerability in the payment flow, escrow, refund, or signature-auth logic, we want to hear from you.
Do not open a public issue for security vulnerabilities.
- Email security@onsight.photo, or
- Use GitHub's private vulnerability reporting.
Please include enough to reproduce: the request, the response, and (for
payment/settlement issues) the on-chain txHash — which is public and safe to share.
Do not include private keys or signatures from a real funded wallet.
We'll acknowledge within a few business days and keep you posted on the fix. Please give us a reasonable window to patch before any public disclosure.