Security

Reporting a vulnerability

If you believe you have found a security vulnerability in MCPWing, please report it by email to hello@mcpwing.com. Include a clear description, the steps to reproduce, and any relevant proof-of-concept details so we can investigate quickly. Please do not publicly disclose the issue until we have had a chance to address it.

Safe harbor

We support good-faith security research. If you make a good-faith effort to comply with this policy during your research, we will consider your research to be authorized, will work with you to understand and resolve the issue promptly, and will not pursue or support legal action against you. Good faith means you avoid privacy violations, data destruction, and service disruption, and you only interact with accounts you own or have explicit permission to test.

Acknowledgement time

We aim to acknowledge reports within 3 business days and will keep you informed as we work toward a resolution.

Our security practices

• All data is encrypted in transit using TLS.
• Secrets such as API keys and OAuth tokens are stored hashed.
• Per-organization Fireworks keys are encrypted at rest using AES-256-GCM.
• Multi-tenant isolation is enforced via Postgres Row-Level Security, so each organization's data is isolated from every other organization's.
• The Wing connector uses OAuth 2.1 with PKCE for authorization.