We take security vulnerabilities seriously. If you discover a security issue in Signal Sentinel, please report it responsibly.

DO NOT create a public GitHub issue for security vulnerabilities.

Instead, please email: security@signalcoding.co.uk

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact assessment
• Any suggested remediation

1. Acknowledgement: We will acknowledge receipt within 48 hours
2. Assessment: We will assess the vulnerability within 7 days
3. Resolution: Critical vulnerabilities will be patched within 30 days
4. Disclosure: We will coordinate disclosure timing with you

We do not currently operate a bug bounty program, but we will publicly acknowledge security researchers who report valid vulnerabilities (with their permission).

Signal Sentinel is built to comply with:

• OWASP Top 10 2025 - Web application security
• OWASP Agentic AI Top 10 (2026) - AI agent security (ASI01-ASI10)
• MOD JSP 440/656 - UK Defence secure development
• NCSC Cyber Essentials Plus - UK government security baseline

• All code changes require security-focused review
• Security-critical changes require senior review

• All dependencies are pinned to exact versions
• Automated vulnerability scanning in CI/CD
• No packages with known critical vulnerabilities

• No secrets in source code
• Azure Key Vault / cloud-native secret stores only
• Credentials never appear in logs

• SBOM generated for every release
• Package integrity verification
• Official registries only (NuGet, npm)

• 21 security rules across MCP server and Agent Skill scanning
• 13 MCP rules (SS-001 to SS-010, SS-019 to SS-021): tool poisoning, overbroad permissions, missing auth, supply chain, code execution, memory write, inter-agent comms, sensitive data, credential hygiene, OAuth 2.1 compliance, package provenance
• 8 Skill rules (SS-011 to SS-018): prompt injection, scope violation, credential access, data exfiltration, obfuscation, script payloads, excessive permissions, hidden content
• Cross-server attack path analysis
• Supply chain integrity checks (hash pinning, typosquat detection)
• OWASP Agentic AI Top 10 (ASI01-ASI10) + OWASP MCP Top 10 (MCP01-MCP10) dual compliance mapping
• v2.1.1: SHA-pinned CI/CD, SSRF protection, symlink escape protection, regex timeouts, TLS enforcement, bounded reads

• Real-time tool call filtering
• Response sanitisation (injection pattern removal)
• PII redaction
• Anomaly detection and kill switch

• Security issues: security@signalcoding.co.uk
• General inquiries: info@signalcoding.co.uk

Copyright 2026 Signal Coding Limited. All rights reserved.