If you discover a security vulnerability in the OSP specification, reference implementations, or tools, please report it responsibly.
Do not open a public issue for security vulnerabilities.
Instead, email: security@openserviceprotocol.org
We will acknowledge your report within 48 hours and provide a timeline for a fix.
Security concerns for this project include:
- Vulnerabilities in reference implementations or tools
- Design flaws in the specification that could enable abuse (e.g., agent impersonation, unauthorized ordering)
- Privacy issues with the information disclosed in
osp.mdfiles
- Vulnerabilities in third-party implementations of OSP
- Security issues in the standards OSP builds on (MCP, llms.txt, OpenAPI)