Security
Bindfort is built for teams that need customer-controlled security evidence around MCP tool calls. This page summarizes the public security posture and reporting channel.
Last updated: June 16, 2026
Security posture
Bindfort is designed around a self-hosted-first posture for sensitive environments: customer-controlled telemetry, local receipt evidence, and deployment patterns that keep agent/tool-call data under the operator control where possible.
Evidence and controls
Bindfort provides technical controls and evidence that may support security, audit, vendor-risk, and compliance reviews. Bindfort does not by itself make a customer compliant with SOC 2, ISO 27001, the EU AI Act, DORA, NIS2, GDPR, or any other legal or regulatory framework.
No public exploit details
Please do not publish exploit details, proof-of-concept code, customer data, secrets, or actionable abuse steps before coordination. Public research should remain defensive, reproducible, and careful about claims.
Responsible disclosure
Report suspected vulnerabilities or security concerns to security@bindfort.com. Include affected component, version or URL, reproduction steps, impact, and your preferred contact. We will acknowledge reports as soon as practical and coordinate remediation before public disclosure where appropriate.