Skip to content

Security: knostic/MCP-Scanner

Security

Report a vulnerability

SECURITY.md

Security Policy

Reporting Security Vulnerabilities

Knostic takes the security of our open source projects seriously. If you believe you have found a security vulnerability in MCP Scanner, we encourage you to report it to us through coordinated disclosure.

How to Report

Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.

Instead, please send an email to: security@knostic.ai

Please include as much of the following information as possible:

  • Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
  • Full paths of source file(s) related to the manifestation of the issue
  • The location of the affected source code (tag/branch/commit or direct URL)
  • Any special configuration required to reproduce the issue
  • Step-by-step instructions to reproduce the issue
  • Proof-of-concept or exploit code (if possible)
  • Impact of the issue, including how an attacker might exploit the issue

This information will help us triage your report more quickly.

Response Timeline

  • Initial Response: We will acknowledge receipt of your report within 48 hours
  • Status Update: We will provide a more detailed response within 7 days
  • Resolution: We aim to resolve critical issues within 30 days

Responsible Disclosure

We ask that you:

  • Give us reasonable time to investigate and fix the issue before making it public
  • Make a good faith effort to avoid accessing or destroying other users' data
  • Do not perform testing on systems you do not own or without explicit permission

Recognition

We believe in recognizing security researchers who help keep our users safe. With your permission, we will:

  • Publicly acknowledge your responsible disclosure
  • Include your name in our security acknowledgments
  • Provide Knostic swag and recognition

Security Best Practices for Users

When using MCP Scanner, please:

  • Keep your Shodan API keys secure and never commit them to version control
  • Only scan systems you own or have explicit authorization to test
  • Follow responsible disclosure practices for any vulnerabilities you discover
  • Use rate limiting to avoid overwhelming target systems
  • Respect the terms of service of all APIs and services used

Our Commitment

Knostic is committed to:

  • Maintaining the security and integrity of our software
  • Responding promptly to security reports
  • Keeping our users informed about security issues
  • Following industry best practices for secure development

Thank you for helping keep MCP Scanner and our users safe!

There aren’t any published security advisories