Security

GrantLock is run by developers, security engineers, and CI pipelines against MCP configurations they already have access to. The scanner reads YAML/JSON configuration, optionally connects to MCP servers in read-only mode to enumerate tools and resources, applies a deterministic rule set, and writes a report. The scanner is not in the runtime path of an agent and cannot exfiltrate data from servers it inspects beyond what the operator already grants.

• Scanner host trusts the operator. The scanner runs with the operator's privilege; it does not escalate.
• Scanner does not trust MCP servers. Server-supplied tool definitions and resource lists are treated as untrusted input — the rule engine reasons about them but does not execute them.
• Scanner does not trust the rule catalog beyond signature. Premium rules ship with detached cosign signatures verified before execution.
• Cloud product enforces tenant isolation in the database. Every customer-data table is row-level-security-enabled. The connection role used by the Worker has no superuser privilege and sees only rows whose organization_id matches the current session's claim.

• Binaries are signed with cosign keyless OIDC and verifiable via Sigstore.
• SHA-256 + SHA-512 checksums are published per release at /releases.
• Signed download tokens issued by the website use HMAC-SHA256 and expire in 24 hours.
• Premium rules and update manifests are signed with Ed25519. The shim verifies signatures before applying any rule update.
• Argon2id is used for any locally-hashed credential material.
• TLS 1.2 or higher is enforced for all server destinations.

On first run, the Free Binary creates ~/.grantlock/ with mode 0o700 on Unix (DACL restricted to the current user on Windows) and verifies the permissions on every sensitive write as defense-in-depth against post-first-run tampering.

• OSS: none. The CI test tests/test_no_phone_home.py is the gate that blocks any release that introduces an outbound call.
• Free Binary: telemetry.grantlock.ai (anonymized counts; toggleable), update.grantlock.ai (24h check; toggleable).
• Cloud: the above plus ingest.grantlock.ai after sign-in.

• We don't ship telemetry from the OSS source-built scanner.
• We don't transmit MCP tool arguments, responses, or configuration content from any tier.
• We don't cross-reference Free Binary telemetry with the email used to download it.
• We don't run a kernel module, a network proxy, or any agent that survives a reboot without your having installed it.

Email security@grantlock.ai with the subject prefix [SECURITY]. We acknowledge reports promptly and coordinate disclosure responsibly. We do not pursue good-faith security researchers under our terms.

We do not currently run a bug bounty program. Reports are welcome regardless.

GrantLock is not currently SOC 2, ISO 27001, or HIPAA certified. A SOC 2 Type I scoping engagement is on the roadmap; we will publish the report when it lands. We do not claim certifications we do not hold.