Skip to content

Security: ToxMCP/.github

SECURITY.md

Security Policy

Report a vulnerability privately

Do not open a public issue for a suspected vulnerability or include secrets, personal data, confidential inputs, or exploit details in a public discussion.

Use GitHub's private vulnerability reporting in the affected ToxMCP repository:

  1. Open the affected repository.
  2. Select Security.
  3. Select Advisories and then Report a vulnerability.

Include the affected repository and version or commit, the potential impact, minimal reproduction steps, and sanitized supporting evidence. Remove real credentials and confidential scientific or client data.

Scope

The latest default branch and current releases of public ToxMCP repositories are in scope. Archived code, third-party services, and upstream data sources are maintained under their own policies and terms, although we still welcome a private report if a ToxMCP integration creates the exposure.

Please avoid social engineering, denial-of-service testing, destructive tests, high-volume automated requests against public services, and accessing data beyond what is needed to demonstrate the issue. Stop testing and report privately if you encounter credentials, personal data, or confidential material.

Security fixes are assessed according to impact, exploitability, and the affected release surface. Public disclosure should be coordinated through the private advisory.

There aren't any published security advisories