• Dependency vulnerabilities — a transitive dependency with a known CVE that could affect mcp-swiss users
• Parameter injection — crafted tool arguments that cause unintended behaviour (e.g. SSRF via URL manipulation in tool parameters)
• Data leakage — tool responses that inadvertently expose information beyond what the upstream API returns
• Prototype pollution — in JSON parsing or argument handling

• Upstream API downtime or data quality issues (report to the data provider)
• API rate limiting by upstream providers
• The fact that all APIs are public/zero-auth by design — this is intentional
• MCP protocol questions — see https://modelcontextprotocol.io

Do not open a public GitHub issue for security vulnerabilities.

Use one of:

1. GitHub private vulnerability reporting — preferred
   Go to Security → Report a vulnerability

2. Email
   Send details to: security@[maintainer-domain] (update this before going public)

Please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if you have one)

mcp-swiss handles no credentials, tokens, or personal data. All upstream APIs are public Swiss open data. The tool runs locally via stdio — it does not expose any network port or server.