We take the security of Hypertool MCP seriously. If you discover a security vulnerability, please report it responsibly.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please email us at: support@onegrep.dev

Include the following information:

• Type of issue (e.g., buffer overflow, command injection, privilege escalation, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

• We will acknowledge your email within 48 hours
• We will provide a detailed response within 7 days indicating our next steps
• We will keep you informed of progress towards fixing the issue
• We may ask for additional information or guidance

When using Hypertool MCP:

1. Authentication: Ensure proper authentication for all underlying MCP servers
2. Environment Variables: Store sensitive tokens and API keys in environment variables, never in code
3. Configuration Security:
   • Protect your .mcp.json configuration files
   • Use appropriate file permissions
   • Never commit sensitive configuration to version control
4. Network Security:
   • Use secure transports when available
   • Be cautious when exposing HTTP endpoints
5. Tool Permissions:
   • Only enable tools you trust
   • Regularly audit enabled toolsets
   • Use the principle of least privilege
6. Regular Updates: Keep the package updated to the latest version for security patches

• Tool Isolation: Each tool call is routed to the appropriate server without cross-contamination
• Input Validation: All tool calls are validated before routing
• Error Handling: Errors from underlying servers are handled gracefully without exposing sensitive information
• Connection Security: Each underlying MCP server connection is isolated
• Configuration Validation: All configuration files are validated against strict schemas

We provide security updates for the following versions:

1. Insecure Mode: The --insecure flag bypasses tool hash verification. Use only in development environments.
2. HTTP Transport: When using HTTP transport, ensure proper network isolation or use HTTPS proxies.
3. Tool Permissions: Hypertool inherits the permissions of the underlying MCP servers it connects to.

We appreciate the security research community and will acknowledge security researchers who responsibly disclose vulnerabilities.