Reporting a Vulnerability
Email: security@walletsuite.io Include:- Description of the vulnerability
- Steps to reproduce
- Impact assessment
- Affected component (MCP Server, REST API, SDK, website)
- Your contact information (optional, for follow-up)
Scope
| In Scope | Out of Scope |
|---|---|
| WalletSuite MCP Server (npm package, Docker image) | Social engineering |
| WalletSuite REST API | Denial of service attacks |
WalletSuite SDK (@walletsuite/wallet-sdk) | Issues in third-party dependencies (report to the maintainer) |
| walletsuite.io website | Spam or phishing |
| OWS signing integration | Physical access attacks |
Response Timeline
| Stage | Timeframe |
|---|---|
| Acknowledgment | 48 hours |
| Triage and severity assessment | 5 business days |
| Fix (critical severity) | 72 hours |
| Fix (high severity) | 2 weeks |
| Fix (medium/low severity) | Next scheduled release |
Policy
- We do not pursue legal action against researchers who follow responsible disclosure.
- We will credit reporters in our changelog (unless you prefer to remain anonymous).
- We ask that you do not publicly disclose the vulnerability until we have released a fix or 90 days have passed, whichever comes first.
Severity Definitions
| Severity | Definition |
|---|---|
| Critical | Key material exposure, unauthorized signing, fund loss |
| High | Authentication bypass, privilege escalation, data exfiltration |
| Medium | Information disclosure, input validation bypass |
| Low | Documentation issues, minor misconfigurations |