Do not report security vulnerabilities through public GitHub issues.

Instead, report them via:

• GitHub Security Advisories: Report a vulnerability
• Email: Send details to the maintainer via GitHub's contact form

Please include:

• Description of the vulnerability
• Steps to reproduce or proof of concept
• Affected versions
• Suggested fix (if available)

• Acknowledgment: Within 48 hours of report
• Initial assessment: Within 7 days
• Fix delivery: Within 30 days for critical, 90 days for other severities
• Public disclosure: After fix is released, or 90 days from report (whichever is sooner)

• AES-256-CBC credential encryption at rest
• JWT authentication with configurable expiration
• bcryptjs password hashing
• MCP response sanitization (13 regex patterns for secrets/API keys)
• Rate limiting (global + auth endpoints)
• CORS with configurable allowed origins
• DNS rebinding protection
• Security headers (Helmet, CSP, HSTS)
• Default password enforcement on non-localhost binds