If you discover a security vulnerability in Masques, please report it responsibly:
- Do not open a public GitHub issue for security vulnerabilities
- Email the maintainer directly or use GitHub's private vulnerability reporting feature
- Include a clear description of the vulnerability and steps to reproduce
- Security issues in masque parsing or validation
- Potential for privilege escalation through masque definitions
- MCP server configuration vulnerabilities
- Intent boundary bypasses
- Information disclosure through masque loading
- Acknowledgment: Within 48 hours
- Initial assessment: Within 1 week
- Resolution target: Depends on severity, typically within 30 days for critical issues
This policy applies to the Masques plugin code and bundled masque definitions. Issues in third-party MCP servers referenced by masques should be reported to their respective maintainers.
We consider security research conducted in good faith to be authorized. We will not pursue legal action against researchers who:
- Make a good faith effort to avoid privacy violations and data destruction
- Give us reasonable time to address issues before public disclosure
- Do not exploit vulnerabilities beyond what is necessary to demonstrate them