Report suspected vulnerabilities privately to security@makepay.io.

• Protect Oracle Commerce webhook endpoints with Basic Authorization or another gateway-level control.
• Store MakePay keys in the service secret manager.
• Verify MakePay webhooks before updating orders or fulfillment state.
• Treat Oracle webhook payloads as server-side payment requests, not browser input.