trust-gate-mcp follows a rolling security support model. The latest released minor version on PyPI receives security patches. Security fixes are backported to the immediate prior minor on a best-effort basis for 90 days after the next release.
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1 | ❌ (pre-release) |
Do not open a public issue. Public disclosure before a fix is available increases risk for every user of the package.
Two private channels are supported. Either is acceptable. We respond within 72 hours.
Open a draft advisory at: https://github.com/Cyber-Warrior-Network/trust-gate-mcp/security/advisories/new
GitHub keeps the thread private to maintainers and you until published.
security@cyberwarriornetwork.com
PGP-encryption is not required. If you prefer encrypted email, request a key in your initial message and we will return one.
A well-formed report contains:
- Summary — one sentence describing the issue and its impact.
- Affected version(s) — tag or commit hash.
- Reproduction — minimal steps, input, and expected vs. actual behavior. A failing test is ideal.
- Impact assessment — what can an attacker achieve? Read data, modify state, deny service, escalate privilege, bypass policy, bypass signature verification?
- Suggested fix (optional) — patch or mitigation. Not required.
| Day | Milestone |
|---|---|
| 0 | You file the report via advisory or email |
| ≤3 | We acknowledge receipt, triage severity, confirm scope |
| ≤14 | A draft fix is proposed and tested |
| ≤30 | Fix is released in a patched version to PyPI |
| ≤90 | Public disclosure with CVE (if warranted) and credit to reporter |
The 90-day window aligns with Project Zero industry standard. Extension requests are considered on a case-by-case basis.
In scope — the code and resources in this repository:
- The
trust_gate_mcpPython package (MCP server + HTTP client) - Input sanitization layer (
_sanitize,_validate_env, regex patterns, length caps) - HTTP client behavior (WAF handling, rate-limit handling, timeouts, fail-closed guarantees)
- Cryptographic verification paths (Ed25519, ML-DSA-65 offline verification)
- The OWASP ASI evaluation suite (
security_audit/owasp_asi_eval.py) - The adversarial stress test suite (
stress_test.py) - The public demo script (
demo_quantum_proof.py)
Out of scope — reported to the relevant upstream project, not us:
- Vulnerabilities in the upstream
mcp,httpx,cryptography, ordilithium-pypackages (report to their maintainers) - Vulnerabilities in the hosted Trust Gate backend at
cwn-trust-gate.onrender.com(report via the Trust Gate product security page) - Vulnerabilities in the AI model calling the MCP (report to the model provider)
This server is designed to fail closed under any failure condition. If you find an input sequence, network condition, or backend response that causes:
- Any tool to return
allow: truewhen the backend denies - Any receipt to verify as
valid: truewhen the signature is wrong - Any injection pattern (Class A or Class B) to pass sanitization unchanged
- Any field-length cap to be bypassed causing memory or CPU denial-of-service
- Any error to leak stack traces, environment variables, or internal paths
That is a reportable vulnerability.
The threat model and current defenses are catalogued in README.md#cve-coverage. The suite defends against 10+ publicly disclosed MCP-relevant CVEs and attack classes. Coverage is validated by 47 unit tests + 51 OWASP ASI checks + 19 adversarial stress tests.
- Ed25519 — backward-compatible classical signing. Assumes no quantum adversary. Deprecated on a timeline aligned with NSA CNSA 2.0 (full migration by 2031).
- ML-DSA-65 — NIST FIPS 204, security level 3 (~AES-192 equivalent). Standardized August 14, 2024. This is the long-lived signature on every receipt.
- SHA-256 evidence hash — collision-resistant hash of the canonical decision payload. Both signatures commit the same evidence hash.
If a theoretical weakness in ML-DSA-65 is disclosed, report via the channels above. We will issue an advisory and migrate to the NIST-recommended successor.
Reporters who follow this policy and confirm a vulnerability receive:
- Credit in the CHANGELOG entry for the patched release
- Credit in the published advisory (CVE if warranted)
- Optional acknowledgement in this file under "Hall of Fame"
No current entries — this section activates on first confirmed report.
- Advisory: https://github.com/Cyber-Warrior-Network/trust-gate-mcp/security/advisories/new
- Email:
security@cyberwarriornetwork.com
No Receipt. No Trust.