If you discover a security vulnerability in the MCP server code itself (not in the underlying tools like nmap, nikto, etc.), please report it responsibly.
- Do NOT open a public issue for security vulnerabilities
- Use GitHub's Private Vulnerability Reporting feature:
- Go to the Security tab → "Report a vulnerability"
- Or open a draft security advisory in this repository
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 7 days
- Resolution Target: Within 30 days for critical issues
In Scope:
- Command injection in MCP server code
- Bypass of target allowlist/blocklist
- Authentication/authorization issues
- Information disclosure from the server
- Denial of service against the MCP server
Out of Scope:
- Vulnerabilities in underlying tools (nmap, nikto, sqlmap, etc.) - report these to their respective projects
- Issues requiring physical access
- Social engineering attacks
- Issues in dependencies (report to dependency maintainers)
- Always configure
MCP_ALLOWED_TARGETS- Don't leave it open - Use read-only containers in production
- Set resource limits to prevent DoS
- Monitor container logs for unexpected activity
- Keep the image updated for security patches
We appreciate responsible disclosure and will acknowledge security researchers who report valid vulnerabilities (unless they prefer to remain anonymous).