Do not open a public GitHub issue for security vulnerabilities.
Email: security@usewombat.eu
PGP key: https://usewombat.eu/.well-known/security.txt
We will acknowledge your report within 48 hours and aim to ship a fix within 14 days for critical issues.
The following are in scope:
- Permission bypass in
resolver.tsorgateway.ts— a tool call that should be denied but is allowed - Audit log injection or tampering
- Path traversal in resource resolution
- Manifest parsing that silently falls back to permissive defaults instead of failing loudly
- Any mechanism that allows an agent to bypass the gateway entirely when configured correctly
- The local gateway does not prevent a sufficiently motivated agent from connecting directly to downstream MCP servers if it knows their addresses. This is a documented limitation of the local (open source) version. The hosted usewombat version enforces this via scoped session tokens.
- Social engineering of the manifest author
The gateway enforces permissions mechanically from a human-authored manifest. ML/AI is not in the security path — this is by design. A deny decision is always deterministic and auditable.
The audit log never contains parameter values, file contents, or API responses — only the shape of what happened (tool name, resource path, mode, decision). This is also by design.
We follow coordinated disclosure. We will credit researchers in the changelog unless they prefer to remain anonymous.