Please do not report security vulnerabilities through public GitHub issues.
If you discover a security vulnerability in mTarsier, please report it privately by emailing:
Include as much detail as possible:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fix (optional)
We will acknowledge your report within 48 hours and aim to release a fix within 14 days depending on severity.
This policy covers the mTarsier desktop application and its bundled tsr CLI binary. It does not cover third-party MCP servers listed in the Marketplace — those are maintained by their respective publishers.
We only provide security fixes for the latest released version of mTarsier. Please make sure you're running the latest release before reporting.
| Version | Supported |
|---|---|
| Latest release | ✓ |
| Older releases | ✗ |