Found something? Tell us before you tweet.

Credential handling

We don’t store your registry tokens. When you scan a private repo or container image, the token is held only for the duration of the scan (~30s for fast, up to ~5min for deep), encrypted in transit and at rest, and never written to durable storage or logs. Once the scan completes, the token is discarded.

We made these tradeoffs deliberately:

• You re-paste the token for every scan. Yes, it’s slightly annoying. We think the security model is worth it.
• We can’t auto-rescan your private repo when a new vulnerability lands. You have to re-trigger.
• Your account dashboard shows scan results, but never the credentials used to produce them.

Supported registries today: GitHub (PAT, repo scope), npm (access token), PyPI (API token), Docker Hub (username + access token), and GitHub Container Registry (username + PAT with read:packages). Other private registries (ECR, GCR, JFrog, Nexus, self-hosted) aren’t supported yet.

How to report

Email security@mcpsafe.io with the subject line [security]. Include enough detail to reproduce the issue — ideally a concrete request + response, a proof-of-concept payload, or a repo/scan URL that triggers it.

PGP is not currently offered. Plaintext over TLS to the address above is the recommended channel today.

Please do not open a public GitHub issue, post on X, or notify users whose scans would be affected until we’ve had a chance to fix.

What we commit to

• Acknowledge your report within 3 business days.
• Triage and share our initial assessment within 7 business days.
• Credit you publicly (or keep you anonymous — your call) in the fix’s changelog entry and on this page once a fix is deployed.
• No legal action for good-faith research that stays within the scope below.

Scope

In scope:

• mcpsafe.io and all subdomains (*.mcpsafe.io).
• The scan API (api.mcpsafe.io) — authentication, authorization, rate-limit bypass, cross-tenant data access, SSRF into internal services.
• The rules engine — rule-logic bugs that produce false negatives on well-known attack classes, or false positives that break published customer badges.
• Any cryptographic weakness in how scan results or customer credentials are stored.
• Infrastructure misconfiguration we exposed (publicly reachable buckets, leaked credentials, exposed secrets).

Out of scope:

• Missing security headers on marketing pages where no authentication flows are present.
• Rate-limit tuning concerns below the published per-tier caps (see pricing). If you can actually bypass them, that’s in scope.
• Self-XSS that requires the attacker to paste JavaScript into their own devtools console.
• Findings in third-party services we embed (Stripe checkout, OAuth providers) — report those directly to the vendor.
• Denial-of-service that relies on issuing more requests than any reasonable client would (we know our rate limits; please don’t stress-test them).
• Social engineering, physical access, or account takeover that requires stealing the victim’s session cookie from their device.

No cash bounty yet — but public credit

We’re pre-revenue and can’t responsibly commit to cash payouts while one bad quarter could force us to renege. Instead, every valid report gets: a named entry in the fix’s changelog, a thank-you line on this page, and a hand-signed “found by [you]” reference in any post-mortem we publish.

When we do move to paid bounties, we’ll backpay researchers who reported eligible issues before the program opened. It’s what we’d want.

Hall of thanks

Empty today. We’ll keep this list honest — no paid shill names.

Machine-readable

Our security.txt lives at /.well-known/security.txt in the RFC 9116 format. It points back here.