# Security policy

## Reporting

Security reports are welcome. Please email `lionmaster.operations@gmail.com` with subject line `[LION SECURITY]` and a clear description of the issue.

## In scope

- LION endpoints under `https://gleaming-cassata-d41682.netlify.app/api/x402/*` and `https://gleaming-cassata-d41682.netlify.app/api/mcp`.
- Public machine-discovery files under `https://gleaming-cassata-d41682.netlify.app/lion-mcp/*`.

## Out of scope

- Third-party dependencies (CDP facilitator, Netlify, Coinbase Bazaar, x402scan, MCP Registry, Glama, Smithery, etc.). Report those to the respective vendor.
- Issues that require physical access, social engineering, or non-payment-related abuse of public endpoints.

## Operating constraints

- LION does not accept private credentials, secrets, or PII over any channel.
- LION's only on-chain interaction is receiving USDC at the declared `payTo` address on Base (`eip155:8453`). LION does not custody buyer assets and does not initiate outbound transfers as part of the paid response.
- LION's MCP endpoint is read-only.