Do not open a public GitHub issue for security vulnerabilities.

Report security issues via GitHub Private Security Advisories.

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested fix (optional)

We will acknowledge within 48 hours and aim to release a fix within 90 days for critical issues.

• API tokens are read from environment variables and never logged
• HTTPS is enforced by default; HTTP requires explicit ALLOW_HTTP=true
• All inputs are validated with Zod before reaching the Snipe-IT API
• Errors returned to MCP clients are sanitized — upstream details stay in server logs
• Rate limiting and request timeouts are applied to all outbound requests

See docs/security.md for the full security model and threat analysis.