mcptest takes security seriously. This file describes how to report a vulnerability and what to expect after you do.

Email security@soapbucket.com with a description of the issue, steps to reproduce, and the version of mcptest affected. Encrypt with our GPG key if the content is sensitive; the key fingerprint will be published alongside the v1.0 release notes.

Please do not file public GitHub issues for security reports. Coordinate with us first so we can produce a fix before the issue is widely known.

• Acknowledge receipt within 72 hours.
• Triage and confirm severity within 7 days.
• Ship a fix within 30 days for high-severity issues, 90 days for medium-severity. Low-severity fixes land in the next regular release.
• Coordinated disclosure: we publish a CVE and credit the reporter (if the reporter wants credit) when the fix ships.

mcptest follows semantic versioning. Only the latest minor of the latest major receives security patches. When a new minor ships, the previous minor receives security patches for 90 days, then is end of life.

• The mcptest binary, every shipped crate (mcptest-core, mcptest-config, mcptest).
• Reporters, including the upload reporter wire format.
• The reference example MCP server in examples/reference-server/.
• The sample collector in tools/sample-collector/ (MIT licensed).
• The install script at scripts/install.sh and its CDN deployment.
• Schema files under schemas/.

• User-supplied YAML test files. The contents are user-controlled; there is no security boundary between the user and their own files.
• Third-party dependencies. Report those upstream; we follow advisory feeds and bump versions as fixes ship.
• MCP servers being tested. mcptest is the client; if a server has a vulnerability, report it to the server's maintainer.
• Issues that require local access to the user's machine to exploit.

• Secret redaction by default across every reporter, log line, and cassette. The redactor is regression-tested in crates/mcptest/tests/redaction_audit.rs. See ADR-0019 and the docs at docs/security/redaction.md.
• TLS verification on by default. --insecure-skip-verify prints a prominent warning on every invocation and is logged in run metadata.
• File mode 0600 on every secret cached under ~/.mcptest/auth/.
• Atomic writes for the OAuth token cache so a crash mid-refresh cannot leave a partial token on disk.
• No telemetry. mcptest does not phone home. Upload reporter is opt-in and points at a user-configured endpoint.

deny.toml at the repo root drives cargo deny check, which pulls advisories from the RustSec advisory database, enforces an explicit license allow-list adapted from the SPDX expressions in NOTICE, denies yanked crates outright, and warns on multiple-version drift across transitive dependencies. cargo-audit runs the same lockfile against RustSec independently as a second opinion. Both tools are wired into ./scripts/check.sh and skip gracefully when not installed locally; once re-enables the GitHub Actions surface the workflow runs them on every push to main. Contributors can install both with cargo install cargo-audit --locked and cargo install cargo-deny --locked. Tracked in Linear as .

References: , .