MCPShield is a security product. We take vulnerabilities in our own code as seriously as the ones we help operators find.

Email: security@mcpshield.app

PGP: (key fingerprint to be published once the security mailbox is provisioned — until then, please email and we will respond with a key for follow-up.)

GitHub Security Advisories: You may also use the Report a vulnerability button on the repository. This creates a private advisory visible only to maintainers.

Please do not file public GitHub issues for security reports. Public issues will be deleted and you will be redirected to the channels above.

• Affected component (backend, agent, frontend, or cve_enricher)
• Affected version or commit SHA
• Reproduction steps
• Impact assessment (what an attacker gains)
• Any proof-of-concept code

We will not pursue legal action against researchers who:

• Follow this disclosure policy
• Do not exfiltrate, modify, or destroy data belonging to others
• Do not degrade availability of production systems
• Give us a reasonable window to fix the issue before public disclosure

MCPShield is currently in beta. Only the main branch is supported. Once we cut a v1.0.0 release, this section will be updated with a support window.

This is a summary. A full threat model document lives in docs/SECURITY_ARCHITECTURE.md (forthcoming).

• Confidentiality of the inventory: which AI tools on which endpoints are connected to which MCP servers, what those servers can touch, and any risk scoring derived from that data.
• Integrity of risk decisions: an attacker should not be able to silently mark a known-risky server as benign in the dashboard.
• Availability of the dashboard for security teams to act on alerts.

• The user's endpoint itself. We are a discovery and visibility tool. We do not block MCP servers from running, do not modify the host, and do not act as endpoint protection.
• The MCP servers themselves. We risk-score them based on their configuration; we do not patch them or restrict their runtime behaviour.
• Data flowing through MCP servers at runtime. We see configuration, not requests.

┌────────────────┐     X-API-Key      ┌─────────────────┐     JWT cookie     ┌──────────────┐
│  Agent (host)  │ ─────────────────▶│  Backend (API)  │ ◀────────────────  │  Frontend    │
└────────────────┘   HTTPS + TLS 1.2+ └─────────────────┘   HTTPS, same-site └──────────────┘
       │                                       │
       │ reads local config files              │ reads/writes Postgres
       ▼                                       ▼
   Filesystem only                       Org-scoped row-level isolation

• Agent → Backend is authenticated by a per-agent API key, hashed with SHA-256 at rest. Keys are scoped to a single organisation; a compromised agent key cannot read another org's data.
• Frontend → Backend is authenticated by a short-lived JWT stored in an httpOnly SameSite=Lax cookie. CSRF protection uses a double-submit cookie pattern (mcpshield_csrf readable cookie + X-CSRF-Token request header). Refresh tokens are rotated on use and revoked server-side on logout.
• Backend → Database uses parameterised queries via SQLAlchemy. Postgres is the authoritative store for hosted; SQLite is supported for single-node self-host.

• Authentication or authorisation bypass (any role, any org)
• Cross-org data leakage
• SQL injection, command injection, SSRF, deserialisation flaws
• XSS in the dashboard
• API-key or JWT forgery / replay
• Denial-of-service through unbounded queries or unauthenticated endpoints
• Risk-score manipulation that an unprivileged user can perform
• Secret exposure in logs, error responses, or client bundles
• Supply-chain risks in our dependency tree that we have not pinned

• Social-engineering attacks against MCPShield staff or customers
• Physical attacks against MCPShield infrastructure
• Findings on third-party services we use (Stripe, GitHub, etc.) — please report those to the relevant vendor
• Self-XSS, missing security headers without a demonstrated impact, clickjacking on pages with no state-changing actions
• Issues in unpublished branches or experimental modules clearly marked as such

Transparency about what the agent reads is essential. The mcpshield-agent Python package scans known MCP-config locations for the apps it supports (Claude Desktop, Cursor, Windsurf, etc.) and reports the following to the configured backend:

The agent never reads:

• Environment variable values (only names are read; values are never transmitted)
• File contents within scoped directories (only the path string is read)
• MCP request/response payloads at runtime
• Browser history, clipboard, keystrokes, or anything outside MCP config files

A full list of paths the agent reads is documented in agent/README.md. The agent source is MIT-licensed and auditable; if any of the above is inaccurate, please file a vulnerability report.

• Self-host: data lives only in your database. We have no telemetry endpoint phoning home. There is no built-in usage reporting.
• Hosted SaaS (when launched): data is stored in our managed Postgres in the region you select. Retention defaults are documented on the pricing page and configurable for paid plans. Data Processing Agreements are available for EU customers.

• Passwords: bcrypt (direct, cost factor 12)
• API keys: SHA-256 hash at rest; the first 12 characters are stored in plaintext as a display prefix only — verification always hashes the full key
• JWTs: HS256 signed with a per-deployment secret (JWT_SECRET). Operators must generate a strong secret in production. Default values are rejected at startup.
• All transport: HTTPS only in production. Local dev allows http://localhost for agent → backend; production deployments should terminate TLS at a reverse proxy (Caddy, Traefik, or behind a managed load balancer).

None yet. This section will be populated as advisories are published.

Last updated: 2026-06-21