Only the latest main branch is currently supported.

If you discover a security vulnerability in MCPTrust, please do not open a public issue.

Preferred: Open a private security advisory

Email: security@mcptrust.dev

We will acknowledge reports within 48 hours.

We are particularly interested in:

• Bypasses of the verify command.
• Hash collisions that allow malicious tool changes to go undetected.
• Non-determinism in the locking or bundling process.