Please do not open a public GitHub issue for suspected vulnerabilities.
Email: hello@402index.io.
Please include:
- A description of the issue and, if possible, a minimal proof-of-concept.
- The affected component (live site, HTTP API, MCP server, aggregator, etc.).
- Your assessment of impact and any suggested mitigations.
We will acknowledge receipt within 72 hours and aim to triage within a week. If the issue is confirmed and fix-worthy, we'll coordinate a disclosure timeline with you — typically 30–90 days depending on severity and user-facing impact. Credit is offered in release notes unless you prefer anonymity.
In scope:
- The live site at
402index.io - The HTTP API (
/api/v1/*) - The probe / verifier that validates L402 and x402 challenges during registration and health checks
- The
@402index/mcp-servernpm package - This source repository (
ryanthegentry/402index)
Out of scope:
- Third-party services we aggregate from (Bazaar, Satring, l402apps, provider endpoints). Please report those to their operators.
- Social-engineering or physical attacks.
- Denial-of-service against the public API via rate-limit exhaustion, unless it demonstrates an amplification or asymmetric-cost vector beyond ordinary scraping.
402 Index aggregates untrusted external data (provider metadata, endpoint URLs, price claims) and exposes it to AI agents. The primary threats are:
- SSRF via health checks. The probe fetches arbitrary URLs submitted by third parties. We block private IPv4 ranges, localhost, cloud metadata endpoints (169.254.169.254), and non-HTTP schemes, and we set
redirect: 'manual'to prevent redirect-based bypasses. Seesrc/health/checker.js. - Malicious or low-quality listings. Aggregators can import untrusted metadata at volume. HTML output is escaped via
escapeHtml()on every user-visible field. Manual curation happens vialistings/featured.yaml. - Resource exhaustion. The API is rate-limited via
express-rate-limit. All list endpoints enforceLIMIT(max 200) andOFFSETceilings.health_checksrows older than 3 days are pruned. - Credential leakage. No user credentials are accepted by the public API. Webhook secrets are HMAC-SHA256, stored hashed. Environment variables (API keys, Nostr private key) are never logged.
- Registration abuse.
POST /api/v1/registeris rate-limited and requires the probe to validate the endpoint before listing. Domain verification is a separate step for theverifiedfilter.
- Parameterized SQL everywhere via
better-sqlite3(@paramor positional). No string concatenation in queries. helmetmiddleware for standard HTTP security headers (CSP, X-Frame-Options, X-Content-Type-Options, HSTS).app.disable('x-powered-by')to avoid leaking framework fingerprint.- Global Express error handler redacts stack traces in production.
- Dependencies are monitored via GitHub Dependabot and weekly security audits (
.github/workflows/weekly-security.yml).
Security fixes are applied to master and published as new releases of @402index/mcp-server. There is currently no LTS branch policy. Run master (or the latest published npm version of the MCP server) to stay current.