If you discover a security vulnerability, please do not open a public issue.
Email: security@signalaf.com or report privately via GitHub Security Advisories.
- The SigRank MCP CLI and MCP server
- The submit/verify signing flow (ed25519)
- The keystore and key management
- Token privacy guarantees (token-only, no message content)
- The signalaf.com web app (report at sigrank-app)
- Supabase infrastructure
- Third-party dependencies (report upstream)
- Acknowledgement within 48 hours
- Assessment within 7 days
- Fix or mitigation depending on severity