Open Commerce Graph

Docs

Security

Threat model, disclosure path, scanner invariants, and deployment security posture.

Report suspected vulnerabilities to security@opencommercegraph.com. Do not file public issues for exploitable bugs.

  • No package submits Solana transactions.
  • Schema and validator packages run offline by default.
  • No token, governance token, rewards token, or tokenomics code is allowed.
  • Private keys, seed phrase patterns, and strict payment PII are scanner-blocked.
  • The site is a static export served with HSTS, nosniff, frame controls, and a strict static-host CSP.
The demo uses fictional records and devnet-only flows. Never submit real merchant PII to demo fixtures.