Please do not open a public GitHub issue for security vulnerabilities.

Report privately via GitHub Security Advisories.

Include:

• Description of the vulnerability
• Steps to reproduce
• Affected versions
• Suggested fix (if any)

You can expect an acknowledgement within 48 hours and a fix or mitigation within 7 days for confirmed critical issues.

In scope:

• Credential exposure or leakage through transport layer
• Command injection via shapeshift() install commands
• Path traversal in file-based transports
• Token/key exposure in logs or error messages

Out of scope:

• Vulnerabilities in third-party MCP servers accessed via Kitsune
• Issues requiring physical access to the machine