Security reports are especially relevant for:

• the hosted MCP server
• remote ingestion paths
• local file handling
• dependency vulnerabilities
• deployment configuration

Please do not open public issues for sensitive vulnerabilities.

Instead, use GitHub's private vulnerability reporting flow if it is enabled for this repository. If private reporting is not available yet, contact the maintainers through a private channel before disclosing details publicly.

Maintainers should aim to:

• acknowledge valid reports promptly
• assess severity and impact
• prepare a fix or mitigation
• coordinate public disclosure after a fix is available