SaturnZap is under active development. Security updates apply to the latest minor release on main. Older versions are not patched.

Please do not open public GitHub issues for security vulnerabilities.

Report security issues privately via GitHub Security Advisories:

• Open a draft advisory at https://github.com/lqwdtech/SaturnZap/security/advisories/new
• This keeps the report private until a coordinated disclosure and lets us collaborate on the fix in the same thread.

Include:

• A description of the issue and its impact
• Reproduction steps (minimal proof-of-concept if possible)
• Affected version or commit hash
• Your suggested remediation, if any

• Initial acknowledgement within 72 hours
• Triage and severity assessment within 7 days
• Coordinated disclosure — we will agree on a fix window and public disclosure date with you before publishing

In scope:

• src/saturnzap/ — wallet core, CLI, MCP server, IPC, keystore, payments
• Build and release tooling (pyproject.toml, CI workflows, vendor wheel)
• Systemd service integration (sz service install)
• Documented security properties in docs/security-scenarios.md

Out of scope:

• Third-party dependencies (report upstream; we track via pip-audit)
• LDK Node internals (report to lightningdevkit/ldk-node)
• Self-inflicted key loss (forgotten passphrase, missing backups)
• Social engineering, phishing, or attacks requiring prior host compromise
• Denial of service via resource exhaustion (SaturnZap is a single-user CLI)

We publicly credit reporters in the release notes unless you request anonymity.

See docs/security-scenarios.md for the 10 scenarios we model, the protections in place, and the remaining gaps.