safe-mcp-config exists to catch obvious MCP configuration risks, so security reports need extra care.

Until there is a newer tagged release, the 0.1.x line is the active support target.

• Do not post live secrets, tokens, or full private configs in a public issue.
• Rotate or revoke exposed credentials before opening any report.
• If GitHub private vulnerability reporting is available for this repository, use it.
• If private reporting is not available, open a minimal public issue without sensitive data and request a private follow-up from the maintainers.

Useful report details:

• affected version or commit
• Node.js version
• sanitized sample config or reproduction steps
• expected behavior and observed behavior
• impact assessment, especially whether the issue can hide a dangerous config or leak sensitive output

Maintainers should acknowledge a credible report within 5 business days when possible. Fix timing depends on severity, reproduction quality, and maintainer availability.