This repository contains an intentionally vulnerable MCP server implementation designed for security research and education. The vulnerabilities present in this code are by design and should not be reported as security issues.
If you discover a security issue that is not part of the intentional design (e.g., a vulnerability in the repository infrastructure, CI/CD pipeline, or dependencies), please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities.
Instead, please email security@bishopfox.com with:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
We will acknowledge receipt within 48 hours and provide a detailed response within 5 business days.
The following are in scope for security reports:
- Vulnerabilities in build/release infrastructure
- Dependency vulnerabilities that could affect users running the tool
- Credential or secret exposure (beyond the intentional demo secrets)
The following are out of scope:
- Vulnerabilities intentionally built into the MCP server
- Issues documented in the README as part of the exercise