If you find a security issue in the MCP Scanner CLI (or in any mcpscanner property), please report it privately — do not open a public issue.

• Email: security@mcpscanner.dev
• Please include steps to reproduce and the affected version.

We aim to acknowledge reports within a few working days and follow standard 90-day coordinated disclosure.

The scanner sends real (non-destructive) probe payloads to the target you point it at. Only scan MCP servers you own or are explicitly authorized to test. Scanning third-party systems without permission may be illegal.

The CLI is self-protecting by default: it refuses private/loopback/link-local and cloud-metadata addresses (unless --allow-internal is passed), does not follow redirects, and caps response size and tool count.

Security fixes are released against the latest tagged version. Please upgrade to the newest release before reporting.