| Version | Supported |
|---|---|
| 1.0.x | Yes |
If you discover a security vulnerability in the Open Commerce Protocol, please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities.
Instead, please email security@opencommerceprotocol.org with:
- A description of the vulnerability
- Steps to reproduce the issue
- The affected package(s) and version(s)
- Any potential impact assessment
We will acknowledge receipt within 48 hours and provide a detailed response within 7 days, including our assessment and planned remediation timeline.
- All published packages include only the
dist/directory (via thefilesfield in package.json) - No secrets, API keys, or credentials are included in source code or published packages
- TypeScript strict mode is enforced across all packages
- Dependencies are regularly audited via
npm audit
This policy applies to all packages published under the @opencommerceprotocol npm scope:
@opencommerceprotocol/spec@opencommerceprotocol/runtime@opencommerceprotocol/validator@opencommerceprotocol/cli@opencommerceprotocol/bridge-mcp@opencommerceprotocol/bridge-ucp@opencommerceprotocol/bridge-acp@opencommerceprotocol/bridge-a2a@opencommerceprotocol/agent-discovery@opencommerceprotocol/registry@opencommerceprotocol/analytics@opencommerceprotocol/adapter-shopify@opencommerceprotocol/adapter-generic