Skip to content

Security: SunrisesIllNeverSee/sigrank-mcp

Security

SECURITY.md

Security Policy

Reporting a vulnerability

If you discover a security vulnerability, please do not open a public issue.

Email: security@signalaf.com or report privately via GitHub Security Advisories.

Scope

  • The SigRank MCP CLI and MCP server
  • The submit/verify signing flow (ed25519)
  • The keystore and key management
  • Token privacy guarantees (token-only, no message content)

Out of scope

  • The signalaf.com web app (report at sigrank-app)
  • Supabase infrastructure
  • Third-party dependencies (report upstream)

Response timeline

  • Acknowledgement within 48 hours
  • Assessment within 7 days
  • Fix or mitigation depending on severity

There aren't any published security advisories