If you discover a security vulnerability in browserless-mcp, please report it privately. Do not open a public GitHub issue.

Email: support@browserless.io

When reporting, please include:

• A description of the vulnerability and its potential impact
• Steps to reproduce, ideally with a minimal proof of concept
• The affected version(s) of browserless-mcp
• Any suggested mitigation, if known

The following are generally not considered vulnerabilities in this project:

• Issues in the upstream Browserless API or Chrome itself — report those to browserless.io directly.
• Misconfiguration of a self-hosted deployment (e.g. exposing an unauthenticated instance to the public internet).
• Denial of service that requires an authenticated user with a valid API token to attack their own session.

Thanks for helping keep the project and its users safe.