{"id":49798953,"url":"https://github.com/mcp-security-standard/mcp-server-security-standard","last_synced_at":"2026-05-23T08:00:47.118Z","repository":{"id":333762503,"uuid":"1134830523","full_name":"mcp-security-standard/mcp-server-security-standard","owner":"mcp-security-standard","description":"MCP Server Security Standard (MSSS): an open, testable security control standard for certifying MCP servers, with levels, evidence requirements, and reporting schemas.","archived":false,"fork":false,"pushed_at":"2026-03-12T15:27:47.000Z","size":238,"stargazers_count":68,"open_issues_count":0,"forks_count":13,"subscribers_count":4,"default_branch":"main","last_synced_at":"2026-03-12T21:37:12.808Z","etag":null,"topics":["cybersecurity","mcp","mcp-security","mcp-server","standard"],"latest_commit_sha":null,"homepage":"https://mcp-security-standard.org/","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc-by-sa-4.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mcp-security-standard.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-15T09:08:54.000Z","updated_at":"2026-03-12T15:28:06.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/mcp-security-standard/mcp-server-security-standard","commit_stats":null,"previous_names":["mcp-security-standard/mcp-server-security-standard"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/mcp-security-standard/mcp-server-security-standard","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mcp-security-standard%2Fmcp-server-security-standard","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mcp-security-standard%2Fmcp-server-security-standard/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mcp-security-standard%2Fmcp-server-security-standard/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mcp-security-standard%2Fmcp-server-security-standard/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mcp-security-standard","download_url":"https://codeload.github.com/mcp-security-standard/mcp-server-security-standard/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mcp-security-standard%2Fmcp-server-security-standard/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33387656,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-23T04:15:53.637Z","status":"ssl_error","status_checked_at":"2026-05-23T04:15:53.242Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cybersecurity","mcp","mcp-security","mcp-server","standard"],"created_at":"2026-05-12T13:00:30.583Z","updated_at":"2026-05-23T08:00:47.088Z","avatar_url":"https://github.com/mcp-security-standard.png","language":null,"funding_links":[],"categories":["πŸ”Œ MCP Security","References"],"sub_categories":["Standards and Checklists","Risks \u0026 mitigations frameworks"],"readme":"# MCP Server Security Standard (MSSS)\n\n[![CC BY-SA 4.0][cc-by-sa-shield]][cc-by-sa]\n[![GitHub release](https://img.shields.io/badge/release-v0.1.0-blue)](https://github.com/mcp-security-standard/mcp-server-security-standard/releases/latest)\n[![Contributions Welcome](https://img.shields.io/badge/contributions-welcome-brightgreen)](#how-to-contribute)\n\n## About MSSS\n\nThe Model Context Protocol enables AI models to interact with external systems through tools, resources, and prompts. As adoption accelerates, critical vulnerabilities have emerged: command injection, path traversal, SSRF attacks, and supply chain compromises.\n\nMSSS provides:\n- **24 security controls** across 8 domains\n- **4 compliance levels** (L1-Essential, L2-Development, L3-Production, L4-Maximum Assurance)\n- **Risk-based level selection** framework inspired by NIST CSF, OWASP ASVS, and CIS Controls\n- **6 deployment profiles** (Local Dev, Team Server, Internet-Facing, etc.)\n- **Evidence-based verification** with clear acceptance criteria\n- **Machine-readable reporting** through JSON schemas\n\n## Compliant Platforms\n\nThe following platforms have adopted the MCP Server Security Standard:\n\n| - | Platform | Description | Status |\n|---|----------|-------------|--------|\n| \u003ca href=\"https://mcp-hub.info/\"\u003e\u003cimg src=\"https://cdn.mcp-hub.info/logo.svg\" height=\"24\"\u003e\u003c/a\u003e | [MCP-Hub](https://mcp-hub.info/) | MCP server directory and marketplace β€” discover, publish, and manage MCP-compliant servers | βœ… Compliant |\n\n\u003e Are you implementing MSSS? [Open an issue](https://github.com/mcp-security-standard/mcp-server-security-standard/issues) or submit a PR to be listed here.\n\n## Current Status - v0.1.0\n\nReleased: **January 15, 2026** (Community Review Draft)\n\n### What's Included\n- Core standard framework (msss.md)\n- 6 deployment profiles defined\n- Comprehensive threat model\n- 23 fully documented security controls\n- JSON reporting schemas\n- i18n framework for translations\n\n### Areas for Community Contribution\n- Implementation examples for common frameworks\n- Automated verification tools\n- Reference assessment reports\n- Translations to other languages\n- Real-world testing and feedback\n\n## Quick Start\n\n### For Implementers\n1. Review [deployment profiles](v0.1/standard/profiles.md) to find your scenario\n2. Implement controls from [control catalog](v0.1/controls/)\n3. Use [reporting schemas](v0.1/reporting/) for assessment\n4. Share your experience via issues or discussions\n\n### For Contributors\n```bash\n# Fork and clone\ngit clone https://github.com/YOUR-USERNAME/mcp-server-security-standard\ncd mcp-server-security-standard\n\n# Start a translation\nmkdir -p v0.1/i18n/es/standard\n```\n\n### For Security Researchers\n- Report vulnerabilities: security@mcp-security-standard.org\n- Share attack patterns: Open an issue with `threat-research` label\n- Propose new controls: See [contributing guide](v0.1/governance/contributing.md)\n\n## Compliance Levels\n\nMSSS defines **four compliance levels** using a **risk-based selection model** (not maturity progression). Organizations select their target level based on deployment context, data sensitivity, and potential impact.\n\n### Level Selection Framework\n\n| Level | Target Audience | Controls | Validation | Timeline |\n|-------|----------------|----------|------------|----------|\n| **L1: Essential** | Personal/Hobby | 6 (25%) | Self-assessment | 1-2 hours |\n| **L2: Development** | Internal/Team | 12 (50%) | Self + scanning | 4-8 hours |\n| **L3: Production** | Enterprise/Customers | 18 (75%) | Internal audit | 1-2 weeks |\n| **L4: Maximum Assurance** | Critical/Regulated | 24 (100%) | Third-party pentest | 4-8 weeks |\n\n### Quick Decision Guide\n\n**Choose your level based on 4 key questions:**\n\n1. **Who uses it?** Individual β†’ L1 | Team β†’ L2 | Organization/Customers β†’ L3 | Public/Regulated β†’ L4\n2. **What data?** Public β†’ L1 | Internal β†’ L2 | Business/PII β†’ L3 | Regulated (PHI/PCI) β†’ L4\n3. **Impact if compromised?** Inconvenience β†’ L1 | Dev delays β†’ L2 | Disruption β†’ L3 | Severe harm β†’ L4\n4. **Threat model?** Opportunistic β†’ L1 | Semi-targeted β†’ L2 | Targeted β†’ L3 | APT β†’ L4\n\n### Level Highlights\n\n**Level 1 (Essential)**\n- Essential protection for personal tools and hobby projects\n- Prevents: Command injection, path traversal, SSRF, credential leaks\n- Key controls: No shell execution, path allowlisting, URL validation, schema validation, secret redaction\n\n**Level 2 (Development)**\n- Security for development teams and internal tools\n- Adds: TLS enforcement, input bounds, timeouts, command allowlisting, trusted sources\n- Required for: Team projects, internal apps, pre-production environments\n\n**Level 3 (Production)**\n- Comprehensive security for enterprise and customer-facing applications\n- Adds: OAuth authentication, RBAC, audit logging, container hardening\n- Required for: SaaS products, customer data, business-confidential information\n\n**Level 4 (Maximum Assurance)**\n- Maximum hardening for critical infrastructure and regulated environments\n- Adds: Filesystem sandboxing, egress filtering, seccomp/AppArmor, runtime monitoring\n- Required for: HIPAA (healthcare), PCI DSS (payments), FedRAMP (government)\n\nπŸ“– **Full documentation**: See [Compliance Levels](v0.1/standard/compliance-levels.md) and [Control-Level Mapping](v0.1/standard/control-level-mapping.md)\n\n### Regulatory Mappings\n\n- **HIPAA** (Healthcare): Level 4 minimum for PHI access\n- **PCI DSS** (Payments): Level 4 minimum for cardholder data\n- **SOC 2** (SaaS): Level 3 minimum\n- **ISO 27001**: Level 3 minimum for certification\n- **FedRAMP**: Lowβ†’L3, Moderate/Highβ†’L4\n\n## Control Catalog\n\n### Filesystem (FS)\n\n| Control | Level | Description |\n|---------|-------|-------------|\n| [MCP-FS-01](v0.1/controls/MCP-FS-01-path-allowlisting.md) | L1 | Path allowlisting to prevent unauthorized file access |\n| [MCP-FS-02](v0.1/controls/MCP-FS-02-symlink-resolution.md) | L1 | Symlink resolution to prevent path traversal via symbolic links |\n| [MCP-FS-03](v0.1/controls/MCP-FS-03-filesystem-sandboxing.md) | L4 | Filesystem sandboxing for complete isolation |\n\n### Execution (EXEC)\n\n| Control | Level | Description |\n|---------|-------|-------------|\n| [MCP-EXEC-01](v0.1/controls/MCP-EXEC-01-no-shell-execution.md) | L1 | Avoid shell execution to prevent command injection |\n| [MCP-EXEC-02](v0.1/controls/MCP-EXEC-02-command-allowlisting.md) | L2 | Command allowlisting for permitted executables |\n| [MCP-EXEC-03](v0.1/controls/MCP-EXEC-03-argument-separator.md) | L2 | Argument separation to prevent injection attacks |\n\n### Network (NET)\n\n| Control | Level | Description |\n|---------|-------|-------------|\n| [MCP-NET-01](v0.1/controls/MCP-NET-01-url-validation.md) | L1 | URL validation to prevent SSRF attacks |\n| [MCP-NET-02](v0.1/controls/MCP-NET-02-egress-filtering.md) | L4 | Egress traffic filtering with destination allowlists |\n| [MCP-NET-03](v0.1/controls/MCP-NET-03-tls-enforcement.md) | L2 | TLS 1.2+ enforcement for all remote connections |\n\n### Authorization (AUTHZ)\n\n| Control | Level | Description |\n|---------|-------|-------------|\n| [MCP-AUTHZ-01](v0.1/controls/MCP-AUTHZ-01-oauth-delegation.md) | L3 | OAuth 2.1 delegation for secure authentication |\n| [MCP-AUTHZ-02](v0.1/controls/MCP-AUTHZ-02-tool-scopes.md) | L3 | Per-tool scope definition with granular permissions |\n| [MCP-AUTHZ-03](v0.1/controls/MCP-AUTHZ-03-least-privilege.md) | L3 | Least privilege tool design principles |\n| [MCP-AUTHZ-04](v0.1/controls/MCP-AUTHZ-04-rbac.md) | L3 | Resource-based access control (RBAC) |\n\n### Input Validation (INPUT)\n\n| Control | Level | Description |\n|---------|-------|-------------|\n| [MCP-INPUT-01](v0.1/controls/MCP-INPUT-01-schema-validation.md) | L1 | JSON Schema validation for all tool arguments |\n| [MCP-INPUT-02](v0.1/controls/MCP-INPUT-02-bounds-checking.md) | L2 | Input bounds checking to prevent DoS attacks |\n| [MCP-INPUT-03](v0.1/controls/MCP-INPUT-03-timeout-enforcement.md) | L2 | Timeout enforcement for resource exhaustion prevention |\n\n### Logging (LOG)\n\n| Control | Level | Description |\n|---------|-------|-------------|\n| [MCP-LOG-01](v0.1/controls/MCP-LOG-01-audit-logging.md) | L3 | Comprehensive audit logging for all tool invocations |\n| [MCP-LOG-02](v0.1/controls/MCP-LOG-02-secret-redaction.md) | L1 | Automatic secret redaction in logs |\n\n### Supply Chain (SUPPLY)\n\n| Control | Level | Description |\n|---------|-------|-------------|\n| [MCP-SUPPLY-01](v0.1/controls/MCP-SUPPLY-01-package-integrity.md) | L4 | Package integrity verification with checksums |\n| [MCP-SUPPLY-02](v0.1/controls/MCP-SUPPLY-02-trusted-sources.md) | L2 | Trusted package sources and registry verification |\n\n### Deployment (DEPLOY)\n\n| Control | Level | Description |\n|---------|-------|-------------|\n| [MCP-DEPLOY-01](v0.1/controls/MCP-DEPLOY-01-container-hardening.md) | L3 | Container hardening with security best practices |\n| [MCP-DEPLOY-02](v0.1/controls/MCP-DEPLOY-02-seccomp-enforcement.md) | L4 | System call filtering via seccomp/AppArmor |\n| [MCP-DEPLOY-03](v0.1/controls/MCP-DEPLOY-03-resource-limits.md) | L4 | Resource limits and rate limiting for DoS prevention |\n\n**Total**: 24 controls across 8 security domains\n- **Level 1**: 6 controls (25%) - Essential baseline\n- **Level 2**: 12 controls (50%) - Development protection\n- **Level 3**: 18 controls (75%) - Production security\n- **Level 4**: 24 controls (100%) - Maximum assurance\n\n## How to Contribute\n\nWe follow a simple process:\n\n1. **Pick an area** - Check issues labeled `help-wanted` or `good-first-issue`\n2. **Discuss** - Open an issue or join discussions before major work\n3. **Submit** - Create a PR with clear description\n4. **Iterate** - Address feedback from reviewers\n\n### Priority Contributions\n\n**HIGH PRIORITY**\n- Add real-world implementation examples\n- Create reference implementations for common frameworks\n- Test controls against production deployments\n\n**MEDIUM PRIORITY**\n- Add profile-specific guidance\n- Start Spanish, Portuguese, or other translations\n- Develop automated verification tools\n\n**ALWAYS WELCOME**\n- Fix typos and improve clarity\n- Add references to new CVEs or research\n- Share implementation experiences\n\n## Community\n\n### Get Involved\n\n- **Discussions**: [GitHub Discussions](https://github.com/mcp-security-standard/mcp-server-security-standard/discussions) - Ask questions, share ideas\n- **Issues**: [GitHub Issues](https://github.com/mcp-security-standard/mcp-server-security-standard/issues) - Report bugs, request features\n\n### Project Lead\n\n- **Daniel GarcΓ­a (cr0hn)** - [@cr0hn](https://github.com/cr0hn)\n- **Dr. Alfonso MΓΊΓ±oz (Mindcrypt)** [Mindcrypt](https://github.com/mindcrypt)\n\n**Looking for Co-Maintainers!** If you're passionate about MCP security and want to help shape this standard, please reach out.\n\n### Recognition\n\nAll contributors will be recognized in:\n- CHANGELOG.md for significant contributions\n- Control documents you author or substantially improve\n\n## Roadmap\n\n### v0.1 (Current - Community Review)\n- Gather feedback on 23 controls\n- Validate against real-world deployments\n- Collect implementation experiences\n\n### v0.2 (Q2 2026)\n- Incorporate community feedback\n- Add controls for emerging threats\n- Publish reference implementations\n- Launch translation program\n\n### v1.0 (Q4 2026)\n- Stable specification\n- Automated verification tools\n- Certification program framework\n- Training materials\n\n## Related Standards\n\nMSSS complements:\n- [OWASP MCP Top 10](https://owasp.org/www-project-mcp-top-10/) - Risk categories\n- [OWASP ASVS](https://owasp.org/www-project-application-security-verification-standard/) - Verification standard\n- [CWE](https://cwe.mitre.org/) - Weakness enumeration\n- [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework) - Risk management\n\n## License\n\nMSSS uses a multi-license approach:\n\n| Component | License | Purpose |\n|-----------|---------|---------|\n| Standard Text | [CC BY-SA 4.0][cc-by-sa] | Free sharing with attribution |\n| JSON Schemas | Apache 2.0 | Commercial tool integration |\n| Code Examples | MIT | Maximum flexibility |\n\nSee the full license text in the [LICENSE](LICENSE) file.\n\n## Support the Project\n\n- **Star this repository** - Help others discover MSSS\n- **Share with your network** - Spread awareness\n- **Contribute** - Your expertise makes MSSS better\n\n## Acknowledgments\n\nMSSS builds upon:\n- Security researchers who disclosed MCP vulnerabilities\n- OWASP MCP Top 10 community\n- Early adopters providing feedback\n- Academic researchers (MCPLIB, Hou et al.)\n\n---\n\n**The MCP Server Security Standard is an open community project.** We provide this standard as-is without warranties. Use at your own discretion.\n\n[cc-by-sa]: http://creativecommons.org/licenses/by-sa/4.0/\n[cc-by-sa-shield]: https://img.shields.io/badge/License-CC%20BY--SA%204.0-lightgrey.svg\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmcp-security-standard%2Fmcp-server-security-standard","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmcp-security-standard%2Fmcp-server-security-standard","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmcp-security-standard%2Fmcp-server-security-standard/lists"}