The MPP team takes security vulnerabilities seriously. We appreciate your efforts to responsibly disclose your findings.
Send an email to mpp-security@quantum2x.com with the following information:
- Description of the vulnerability
- Steps to reproduce (including any proof-of-concept code)
- Affected component (spec, runtime, SDK, registry, CLI)
- Impact assessment — what can an attacker achieve?
- Suggested fix (if you have one)
| Timeframe | Action |
|---|---|
| 24 hours | Acknowledgment of your report |
| 72 hours | Initial assessment and severity classification |
| 7 days | Detailed response with remediation plan |
| 30 days | Fix released (critical), or scheduled for next release (lower severity) |
We use the following severity levels:
| Severity | Description | Example |
|---|---|---|
| Critical | Remote code execution, sandbox escape, signature bypass | A crafted .mpp package escapes the WASM sandbox |
| High | Data exfiltration, privilege escalation, authentication bypass | A tool accesses files outside its declared permissions |
| Medium | Information disclosure, denial of service | A malformed manifest crashes the host runtime |
| Low | Minor issues with limited impact | A timing side-channel in signature verification |
We consider security research conducted in good faith to be authorized. We will not pursue legal action against researchers who:
- Make a good-faith effort to avoid privacy violations, destruction of data, and interruption of services
- Only interact with accounts they own or with explicit permission
- Report vulnerabilities promptly and do not publicly disclose before a fix is available
- Do not exploit vulnerabilities beyond what is necessary to demonstrate them
| Version | Supported |
|---|---|
| Latest release | ✅ Yes |
| Previous minor release | ✅ Security fixes only |
| Older versions | ❌ No |
MPP is designed with security as a core principle:
- Zero-Trust Execution — All tools run in capability-based sandboxes
- Cryptographic Verification — All packages must be digitally signed
- Least Privilege — Tools only receive explicitly granted permissions
- Supply Chain Integrity — Packages are verified before execution
- Privacy by Design — PII redaction filters operate at the protocol level
For more details, see the Security Model specification.
Our security team's PGP key for encrypted communication will be published here once the project reaches Phase 2.
Thank you for helping keep MPP and its users safe.