Report suspected vulnerabilities through GitHub private vulnerability reporting:
https://github.com/ashhart/Portreeve/security/advisories/new
GitHub private vulnerability reporting is enabled for this repository. Portreeve does not currently publish a separate security mailbox or PGP key.
- Portreeve version or commit.
- Python version and operating system.
- Reproduction steps.
- Expected and observed behavior.
- Whether the issue affects confidentiality, integrity, availability, approval decisions, or audit evidence.
- Any relevant
DecisionorAuditEventJSON.
In-scope reports include:
- incorrect
allowdecisions for paths or URLs that should be denied, - incorrect lethal-trifecta state handling,
- missing or misleading audit evidence,
- approval bypasses,
- serialization issues that merge tenants or sessions,
- documentation that materially overstates protection.
Out-of-scope reports include:
- vulnerabilities in upstream MCP servers without a Portreeve-specific impact,
- tool calls that never pass through
register_tool()orgate(), - host operating-system compromise,
- missing authentication or RBAC features.
Disclosure handling is manual:
- acknowledge within 3 business days,
- provide an initial assessment within 10 business days,
- coordinate a fix and advisory before public disclosure when the report is valid and security-relevant.
PGP details should be added if email reporting is enabled later.