security

Security disclosure.

Found a vulnerability in opchain? Thank you. This page is the contract for how to report it, what's in scope, and what to expect from us in return.

Report a vulnerability

Use the form below for the fastest path — it routes straight to our triage queue in Linear with a structured body so we can respond quickly. We acknowledge within 3 business days.

Please don't open a public GitHub issue, file feedback through the on-site widget, or post on social before we've had a chance to triage and patch.

Alternative channels

If your finding is too sensitive for a form (e.g. you need PGP before sharing details, or the report includes user PII), reach out directly:

Email security@opchain.dev — ask for our PGP key in the first message; we'll exchange before you share details.
Open a private GitHub Security Advisory against the repo.

Scope

In scope

opchain.dev and staging.opchain.dev (Cloudflare Worker + Astro site)
The opchain skill catalog under skills/ in the GitHub repo
The /api/health, /api/feedback, /api/notify, /api/flags/public endpoints
Build / supply-chain integrity of opchain-skills.zip

Out of scope

Vulnerabilities in Claude Code, Claude.ai, or Anthropic infrastructure — report those to Anthropic
Third-party services we link to (Linear, PostHog, Cloudflare) — report directly to the vendor
Denial-of-service or load testing — Cloudflare handles edge protection, please don't probe
Social engineering, physical attacks, or anything requiring privileged access
Self-XSS, missing security headers without an exploit, theoretical CSRF on unauthenticated endpoints

Safe harbor

Research conducted under this policy — good-faith, in-scope, non-destructive — is authorised. We won't pursue legal action against you for testing in line with this page, and we'll do our best to extend that protection if a third party intercedes.

If you're uncertain whether something is in scope or whether your plan is non-destructive, ask first.

What we ship in return

Acknowledgment in the GitHub Security Advisory and on this page (if you want it)
A fix. Critical issues patched within 7 days; high within 30
A CVE when the finding warrants one
opchain swag for unique, high-impact findings — once we have swag

opchain is a small open-source project. We don't have a paid bug bounty, but every confirmed report earns public credit and our gratitude.

security.txt

Machine-readable disclosure metadata per RFC 9116, served at /.well-known/security.txt.

Contact: mailto:security@opchain.dev
Preferred-Languages: en
Canonical: https://opchain.dev/.well-known/security.txt
Policy: https://opchain.dev/security
Acknowledgments: https://github.com/asfbay-bit/opchain/security/advisories

Posture & hardening

Quick facts for anyone evaluating opchain for a regulated environment:

Transport

HTTPS only · HSTS preloaded · TLS 1.3 via Cloudflare

Headers

Strict CSP with per-response nonce · X-Frame-Options DENY · Referrer-Policy strict-origin-when-cross-origin · Permissions-Policy locked down

Auth surface

No user accounts. The site has zero auth surface to attack

Data collected

Optional analytics via PostHog (consent-gated) and optional email capture via /api/notify. See privacy

Skill supply chain

Every SKILL.md is plain Markdown, MIT-licensed, validated at build time, and published on the GitHub repo. No binaries, no runtime deps

Infra

Cloudflare Workers · static assets via ASSETS binding · KV for lead capture · no databases, no servers

For a deeper threat model and infrastructure hardening review on your own systems, run the oc-security-auditor skill. How opchain.dev is built documents the stack this page describes.