# Security Policy
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| 1.x.x | :white_check_mark: |
| < 1.0 | :x: |
## Reporting a Vulnerability
**Please do not report security vulnerabilities through public GitHub issues.**
Instead, please report them via email to: **security@mcpsovereign.com**
Include the following information:
- Type of issue (e.g., buffer overflow, SQL injection, XSS)
- Full paths of source files related to the issue
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
## Response Timeline
- **Initial Response**: Within 48 hours
- **Status Update**: Within 7 days
- **Resolution Target**: Within 90 days (depending on complexity)
## Safe Harbor
We consider security research conducted in good faith to be authorized. We will not pursue legal action against researchers who:
- Make a good faith effort to avoid privacy violations and data destruction
- Only interact with accounts you own or with explicit permission
- Do not exploit a vulnerability beyond what is necessary to confirm it
- Report vulnerabilities promptly
## Bug Bounty
We do not currently have a formal bug bounty program, but we may reward significant security discoveries with credits on the MCP Sovereign platform at our discretion.
## Lightning Network Security
Since MCP Sovereign uses Bitcoin Lightning for payments:
- Never share your wallet seed phrase
- Verify all payment requests before signing
- Use reputable Lightning wallet providers
- Keep wallet software updated
## No Token Scams
**There is no $SOVEREIGN token.** Any token, presale, or ICO claiming affiliation with MCP Sovereign is a SCAM. Report these to security@mcpsovereign.com.
