MTF is an open security standard for describing and verifying the security posture of MCP server bundles.
Status: Draft (v0.1) License: CC BY 4.0
MCP servers extend AI assistants with powerful capabilities: filesystem access, network requests, database queries, and code execution. This power creates significant security risk. MTF provides a standardized framework for:
- Bundle authors to demonstrate security best practices
- Registries to enforce minimum security requirements
- Consumers to make informed installation decisions
- Enterprises to set procurement policies
MTF defines four compliance levels, each building on the previous:
| Level | Name | Target | Controls |
|---|---|---|---|
| L1 | Basic | Personal projects, experimentation | 6 |
| L2 | Standard | Team tools, published packages | 14 |
| L3 | Verified | Production, enterprise use | 22 |
| L4 | Attested | Critical infrastructure, regulated industries | 25 |
Controls are organized into five domains:
- Supply Chain (SC): SBOM, vulnerability scanning, dependency pinning
- Code Quality (CQ): Secret detection, malicious patterns, static analysis
- Artifact Integrity (AI): Manifest validation, content hashes, signatures
- Provenance (PR): Source repository, author identity, build attestation
- Capability Declaration (CD): Tool declarations, permission scopes
See MTF-0.1.md for the full specification.
JSON schemas for validation:
- schemas/manifest.schema.json - MCPB manifest with MTF security extensions
- schemas/report.schema.json - MTF security scan report format
| Implementation | Language | Maintainer |
|---|---|---|
| mpak-scanner | Python | NimbleBrain (reference implementation) |
MTF is developed in the open. Contributions, feedback, and discussion are welcome.
This specification is licensed under Creative Commons Attribution 4.0 International (CC BY 4.0).
You are free to share and adapt this material for any purpose, including commercial use, as long as you provide appropriate attribution.