| Version | Supported |
|---|---|
| 0.8.x (beta) | ✅ Active development |
| < 0.8.0 | ❌ Not supported |
Please do NOT report security vulnerabilities as public GitHub issues.
We use GitHub's private security advisory feature. To report a vulnerability:
- Go to Security Advisories
- Click "Report a vulnerability"
- Fill in the details
Alternatively, email: security@mcpambassador.dev
- Description of the vulnerability and potential impact
- Steps to reproduce
- Any proof-of-concept code (treated as confidential)
- Your preferred disclosure timeline
- We will acknowledge receipt within 48 hours
- We will provide an initial assessment within 7 days
- We will work with you on a coordinated disclosure timeline
- We will credit you in the security advisory (unless you prefer anonymity)
In scope:
- Authentication bypass or privilege escalation
- Credential exposure or extraction
- Remote code execution
- SQL injection or command injection
- TLS/cryptography weaknesses
- Docker container escape
Out of scope:
- Denial of service against self-hosted instances (no SLA commitment for self-hosted)
- Rate limiting on development deployments
- Social engineering
See the Security Guide for hardening recommendations.