This policy applies to the signnow/sn-mcp-server repository and any packages published from it (e.g., the PyPI package, if applicable).

We provide security fixes for the latest minor release line (N) and the previous one (N-1). Older versions may receive fixes at our discretion.

Please do not open public issues for security problems.

Use GitHub’s Private vulnerability reporting:

1. Go to this repository → Security tab → Report a vulnerability.
2. Fill out the advisory form with:

• Affected version(s) and environment
• Impact and clear reproduction steps (PoC if possible)
• Any suggested mitigation/fix
• (Optional) CVSS v3.1 vector and your severity assessment
• Your GitHub handle and preferred credit name

If you cannot use GitHub, you may email the maintainers at [add your security email/contact here]. Consider sharing encrypted details or a link to a secure channel.

We will acknowledge within 3 business days, triage within 7 business days, and keep you updated throughout remediation.

For confirmed issues we will:

• Assign a severity, create a private advisory, and work in a private fix branch/fork.
• Target timelines (guidelines, not guarantees):
  • Critical: fix or mitigation target ≤ 14 days
  • High: ≤ 30 days
  • Medium: ≤ 90 days
  • Low: best effort / next release
• Publish a security advisory with release notes once a fix is available, and credit the reporter unless you request otherwise.

Please give us reasonable time to remediate before any public disclosure.

In scope: vulnerabilities in this repository and its released artifacts (server binaries/containers/packages).
Out of scope: issues in SignNow production services, APIs, web apps, infrastructure, or third-party platforms. For those, use the official SignNow channels.

Good-faith, non-destructive research is welcome. Please do not:

• Perform denial-of-service, spam, or load testing against SignNow or third-party systems
• Exfiltrate or access data that is not yours
• Use social engineering, phishing, or physical intrusion
• Report issues that only affect third-party dependencies without showing exploitability in this project
• Disclose secrets or tokens belonging to real users

We will not initiate legal action for good-faith research that:

• Stays within scope and avoids privacy violations or service disruption
• Uses your own accounts/test data
• Reports findings privately and allows reasonable remediation time

• Never commit secrets; use environment variables or a secret manager
• In HTTP mode, run behind HTTPS (reverse proxy/ingress) and use short-lived tokens
• In production, provide a persistent RSA private key for OAuth via OAUTH_RSA_PRIVATE_PEM (rotate and back up securely)
• Restrict ALLOWED_REDIRECTS to known URIs; use least-privilege SignNow credentials and rotate regularly

See the project README for setup and configuration details.