Please do not report security vulnerabilities through public GitHub issues.

If you discover a security issue in MCTS itself:

1. Email or DM the maintainers (update this with your contact when published)
2. Include steps to reproduce and potential impact
3. Allow up to 90 days for remediation before public disclosure

We appreciate responsible disclosure and will acknowledge reporters in the release notes when appropriate.

• MCTS CLI, libraries, GitHub Action, and official documentation
• Out of scope: vulnerabilities in third-party MCP servers scanned by MCTS (report those to the server maintainers)

MCTS is a security analysis tool. Only scan MCP servers you own or have explicit authorization to test.

• Live probing and fuzzing start subprocesses — see Live Scanning and Protocol Fuzzing for consent requirements
• CI usage: CI Integration
• REST API: set MCTS_API_KEY for production; see REST API threat model

HTML reports are self-contained files with embedded scan data and vendored chart assets. They do not transmit data to MCTS or third parties when you open the file in a browser.

• Documentation index
• Architecture