Security posture
Accord Protocol is not currently certified for mainnet production use. Mainnet writes should remain blocked until relevant scripts or contracts appear in signed audit manifests with mainnetAllowed: true.
The website preserves this language so humans and agents do not overstate readiness.
Threat boundaries
Verifier design, signer behavior, wallet security, bridge assumptions, facilitator proof, replay protection and rail-specific script correctness are separate trust boundaries.
Accord records work agreements and receipts. It does not remove the need for audits, policy caps, operational monitoring or incident response.
Reporting
Security-sensitive reports should use GitHub private vulnerability reporting or the channels described in the repository SECURITY.md. Public issues are not appropriate for exploitable vulnerabilities.
Reports should include affected components, reproduction steps, expected impact and whether public credit is requested.
Security operations
Boundaries that must stay explicit
Private vulnerability path
Use GitHub private vulnerability reporting or the process in SECURITY.md for exploitable issues.
Read SECURITY.mdProtocol and reference code
Schema handling, SDK behavior, rail adapters, signer assumptions and replay protection are in scope.
Browse packagesAudit manifests
Mainnet permission depends on signed manifests, not broad compatibility or marketing claims.
Audit evidenceVerifier and rail risk
Verifier quality, bridge behavior, facilitator proof and wallet policy remain external trust assumptions.
Conformance limits