SAFE-MCP Contributor Guide

A Complete Beginner's Guide to Contributing

📍 Navigation: Looking for what to contribute? Browse 40+ Available Techniques | Need workflow help? Continue reading below

🎯 Ready to Contribute Right Now?

👉 Start here: View Available Techniques →

The Contributor Opportunities document shows 40 high-impact techniques ready for documentation, organized by priority and difficulty level. Perfect for finding your first (or next) contribution

Quick stats as of Nov 8, 2025:

📊 49% of framework still needs documentation
🔥 9 active PRs in progress
✨ 8 techniques merged in first week of November
🎯 Beginner-friendly techniques clearly marked

Quick Start
Welcome to SAFE-MCP!
What You'll Contribute
Prerequisites
Contribution Journey at a Glance
Phase 1 – Prepare Your Workspace
Phase 2 – Choose a Technique
Phase 3 – Research with LLMs
Phase 4 – Document the Technique
- Create Your Working Branch
- Structure Your Technique
Phase 5 – Submit and Collaborate
Quality Checklist & Pro Tips
Additional Resources
You're Ready to Contribute!

Quick Start

TL;DR:

See what's available – 📋 Browse 40+ open techniques → organized by priority and difficulty
Prep your fork – Fork SAFE-MCP/safe-mcp, clone it locally, and skim the root README.md
Claim a technique – Pick an ID from /contribute/opportunities and note it in your branch name
Research intentionally – Use the prompt templates below, but verify every claim against reliable sources
Document + link it – Create techniques/SAFE-TXXXX/README.md from the template, then add it to the main README table
Submit + iterate – Commit with DCO sign-off, open a PR, and respond quickly to feedback

📌 First-time contributor? Check the "Recommended Starting Points" section for beginner-friendly techniques. Have questions? Join our Discord community for support!

Pin this checklist next to your editor and expand each item as you work through the phases below.

Welcome to SAFE-MCP!

SAFE-MCP is a comprehensive security framework for documenting threats in the Model Context Protocol (MCP) ecosystem. We adapt the proven MITRE ATT&CK methodology specifically for MCP environments, helping developers, security teams, and organizations understand and mitigate security risks in AI-powered applications.

Why contribute? By documenting attack tactics and mitigation techniques, you're directly improving the security of AI systems worldwide. Plus, you'll build your GitHub presence, learn about cybersecurity, and join a vibrant community of 5,000+ members.

What You'll Contribute

SAFE-MCP documents security concerns across 14 tactical categories aligned with MITRE ATT&CK:

Tactic	Description
Reconnaissance	The adversary is trying to gather information they can use to plan future operations
Resource Development	The adversary is trying to establish resources they can use to support operations
Initial Access	How attackers get into MCP environments
Execution	Running malicious code via MCP
Persistence	Maintaining foothold in systems
Privilege Escalation	Gaining higher-level permissions
Defense Evasion	Avoiding detection mechanisms
Credential Access	Stealing passwords and tokens
Discovery	Figuring out the MCP environment
Lateral Movement	Moving through environments
Collection	Gathering data of interest
Command and Control	Communicating with compromised systems
Exfiltration	Stealing data from systems
Impact	Manipulating or destroying systems

Note: Some tactics like Reconnaissance and Resource Development currently have no MCP-specific techniques documented—these are great opportunities for new contributors!

You'll document specific attack techniques within these tactics, describing how they work, their potential impact, and most importantly, how to defend against them.

Prerequisites

Before you begin, make sure you have:

☐ GitHub account – Create one at github.com if you don't have one
☐ Git installed – Download from git-scm.com
☐ Text editor – VS Code, Sublime Text, or any editor you prefer
☐ Curiosity about security – No prior experience required!

Optional but helpful:

☐ Markdown preview plug-in
☐ Access to at least one LLM (ChatGPT, Claude, Gemini, etc.)
☐ Browser bookmarks for the references in Additional Resources

Contribution Journey at a Glance

Phase	Goal	Key Actions	Where to Work	Navigation
1. Prep	Set up your workspace	Fork, clone, read the README	This guide	Continue reading ↓
2. Choose	Pick a high-impact gap	Scan opportunities, evaluate scope	→ Opportunities Doc	Switch docs →
3. Research	Validate the threat	Prompt LLMs, gather sources, verify feasibility	This guide	← Return here
4. Document	Capture the technique	Write technique README, map to MITRE, outline mitigations	This guide	Continue reading ↓
5. Submit	Share and iterate	Update root README, commit, open PR, respond to review	This guide	Continue reading ↓

Visual Guide:

Contributor Guide (You start here)
        ↓
Phase 1-2: Learn the process
        ↓
        ↓ Switch to Opportunities Doc
        ↓
Browse & Claim Technique
        ↓
        ↓ Return to Contributor Guide
        ↓
Phases 3-5: Research, Document, Submit

Keep this table nearby—you'll reference it frequently.

Phase 1 – Prepare Your Workspace

Step 1: Fork the Repository

Forking creates your own copy of the project where you can make changes safely.

Visit github.com/SAFE-MCP/safe-mcp
Click the "Fork" button in the top-right corner
Wait for GitHub to create your fork (it takes a few seconds)

Step 2: Clone Your Fork

Cloning downloads the repository to your computer so you can work on it locally.

On your fork's page, click the green "Code" button
Copy the HTTPS URL (it should look like: https://github.com/YOUR-USERNAME/safe-mcp.git)
Open your terminal or command prompt
Run this command (replace YOUR-USERNAME with your GitHub username):

git clone https://github.com/YOUR-USERNAME/safe-mcp.git
cd safe-mcp

Step 3: Explore the README

The README.md file contains the complete list of tactics and existing techniques. This is your roadmap.

Open README.md in your text editor
Look at the TTP (Tactics, Techniques, and Procedures) reference table
Identify tactics with few techniques or areas you're interested in exploring

Phase 2 – Choose a Technique

Picking the right technique early keeps the rest of your work focused.

Use the Contributor Opportunities List

💡 Ready to Choose Your Technique?

Browse 40+ Available Techniques →

We've organized techniques by difficulty, MITRE tactic, and priority to help you find the perfect match. Beginner-friendly options are clearly marked!

📋 Quick Start: Jump to Available Techniques by Tactic for:

40 available techniques (49% of framework still needs contribution)
9 active PRs to avoid duplication
Beginner-friendly options clearly marked in the "Recommended Starting Points" section
Priority areas like Defense Evasion (25% coverage) and Credential Access (29% coverage)

When scanning the list:

Filter by tactic(s) you care about or have context on.
Read the one-line description to ensure you understand the threat.
Confirm there isn't already an open PR covering it (see the "Currently In Progress" section).

Strategies for Selecting a Topic

Strategy 1: Fill the Gaps

Look for tactics with zero or few techniques. Reconnaissance and Resource Development are currently empty—huge opportunities!

Strategy 2: Build on Existing Work

Read existing technique documentation and think about related attack vectors. If there's a technique about "Package Backdooring," consider "Package Typosquatting" or "Dependency Confusion Attacks."

Strategy 3: Real-World Inspiration

Think about recent security incidents you've heard about. How could similar attacks target MCP systems?

Example Attack Vectors

Initial Access: Malicious MCP client connections, tool hijacking
Execution: Prompt injection attacks, unsafe tool parameter handling
Persistence: Modified configuration files, backdoored tool definitions
Defense Evasion: Hiding malicious activity, avoiding detection
Credential Access: Stealing passwords, tokens, and secrets
Discovery: MCP server enumeration, version detection, tool discovery
Lateral Movement: Moving through compromised environments
Collection: Gathering data of interest
Command and Control: Communicating with compromised systems
Exfiltration: Data leakage through tool responses, log file exposure
Impact: Destructive or disruptive operations

Document one technique per PR unless the maintainers request otherwise.

✅ Next Steps

You've learned how to choose a technique. Now pick your path:

🎯 Ready to claim a technique? → Browse Available Techniques
⏭️ Want to understand research first? → Continue to Phase 3: Research with LLMs
🔰 First-time contributor? → Check Recommended Starting Points

Opportunity Snapshot

Metric	Value	Notes
Total techniques in scope	81	Spans all 14 MITRE-aligned tactics (+2 new techniques)
Techniques not contributed yet	24 (30%)	Updated availability
Techniques covered	43 (53%)	Up from 40 techniques (+3 recently merged: T1307, T2102, T2105)
Techniques in progress	14+ techniques	Active contributions from 13 community members
Completely uncovered tactics	1	Command & Control only (Collection now 20% covered)
Recommended first-choice IDs	See "Recommended Starting Points"	Well-scoped, doc-ready topics

Claiming a Technique

Branch naming: feat/SAFE-TXXXX-short-slug helps reviewers connect your work to this list.
Status update: Mention the technique ID in your PR description or comment on the related GitHub issue (if one exists) so others know it's taken.
Stay flexible: If you spot an open PR for the same ID after you started, offer to review it or collaborate instead of duplicating effort.

Priority Areas

The following tactic is completely undocumented and represents a critical gap:

🔴 Command and Control (0/4 techniques completed - all in active PRs)

Newly Elevated Priorities:

🟡 Credential Access (2/7 = 29%) - Only 2 techniques covered, high-value targets for contributors
🟡 Defense Evasion (2/8 = 25%) - Critical evasion techniques still available
🟡 Exfiltration (2/6 = 33%) - Data theft vectors need documentation

Work in Progress

The following techniques are currently being worked on by our contributors:

Contributor	Technique ID	Status
Shekhar Chaudhary	SAFE-T1701	In Progress
Robert Ryan Jennings	SAFE-T1408	In Progress
Utsav Darlami	SAFE-T1803	In Progress
Shubham Shakya	SAFE-T1502	In Progress
Pratikshya Regmi	SAFE-T3001, SAFE-T2101	In Progress
Leo Chin	SAFE-T1305	In Progress
Mukunth	SAFE-T1804	In Progress
Saurabh Yergattikar	SAFE-T1902	In Progress
Rajiv	SAFE-T1102	In Progress
Siddhartha Sitaula	SAFE-T1005	In Progress
Sujit Bista	SAFE-T2104	In Progress
Sumit Yadav	SAFE-T1505	In Progress
Laxmi Pant	SAFE-T1403	In Progress

Note: Please avoid duplicating work on these techniques. Check this list before starting a new contribution!

Available Techniques by Tactic

ATK-TA0008 (1 not contributed yet)

Technique ID	Technique Name	Description
SAFE-T1701	Cross-Tool Contamination	Using compromised MCP tools to access other connected services and systems

ATK-TA0010 (1 not contributed yet)

Technique ID	Technique Name	Description
SAFE-T1910	Covert Channel Exfiltration	Data smuggling through tool parameters, error messages, or legitimate-appearing operations

ATK-TA0011 (1 not contributed yet)

Technique ID	Technique Name	Description
SAFE-T1901	Outbound Webhook C2	LLM calls "http.post" to attacker URL with commands/results

ATK-TA0001 (2 not contributed yet)

Technique ID	Technique Name	Description
SAFE-T1005	Exposed Endpoint Exploit	Misconfigured public MCP endpoints (no auth, debug on) let attackers connect, enumerate tools or trigger RCE
SAFE-T1009	Authorization Server Mix-up	Client follows redirect to look-alike AS domain (e.g., accounts-google.com vs accounts.google.com), causing authorization codes or tokens to be leaked to attacker-controlled server

ATK-TA0003 (2 not contributed yet)

Technique ID	Technique Name	Description
SAFE-T1203	Backdoored Server Binary	Inserts cron job or reverse shell on install; persists even if MCP service is uninstalled
SAFE-T1206	Credential Implant in Config	Adds attacker's API/SSH keys to server .env, giving re-entry

ATK-TA0004 (2 not contributed yet)

Technique ID	Technique Name	Description
SAFE-T1302	High-Privilege Tool Abuse	Invoke a VM-level or root tool from normal user context
SAFE-T1305	Host OS Priv-Esc (RCE)	Achieve root via misconfigured service running as root, then alter host

ATK-TA0005 (2 not contributed yet)

Technique ID	Technique Name	Description
SAFE-T1404	Response Tampering	Model instructed not to mention risky action, keeping UI output "harmless"
SAFE-T1405	Tool Obfuscation/Renaming	Malicious tool named "Utils-Helper" to blend in among 30 legit tools

ATK-TA0006 (1 not contributed yet)

Technique ID	Technique Name	Description
SAFE-T1505	In-Memory Secret Extraction	Query vector store for "api_key" embedding strings

ATK-TA0007 (2 not contributed yet)

Technique ID	Technique Name	Description
SAFE-T1603	System-Prompt Disclosure	Coax model into printing its system prompt/tool JSON
SAFE-T1604	Server Version Enumeration	GET /version or header analysis for vulnerable builds

ATK-TA0008 (4 not contributed yet)

Technique ID	Technique Name	Description
SAFE-T1702	Shared-Memory Poisoning	Write false tasks to shared vector DB so peer agents execute them
SAFE-T1704	Compromised-Server Pivot	Use hijacked server as beachhead to infect other hosts in same IDE/workspace
SAFE-T1706	OAuth Token Pivot Replay	Attacker reuses OAuth tokens across different services by exploiting either shared Authorization Server trust (e.g., GitHub token used at Slack) or Resource Servers that fail to validate audience claims, enabling unauthorized cross-service access
SAFE-T1707	CSRF Token Relay	Leaked OAuth token is passed via Cross-Site Request Forgery to access different resources on the same Resource Server (e.g., pivoting between GCP projects under same Google AS)

ATK-TA0009 (4 not contributed yet)

Technique ID	Technique Name	Description
SAFE-T1802	File Collection	Batch-read sensitive files for later exfil
SAFE-T1803	Database Dump	Use SQL tool to SELECT * from prod DB
SAFE-T1804	API Data Harvest	Loop over customer REST endpoints via HTTP tool
SAFE-T1805	Context Snapshot Capture	Query vector store embeddings wholesale

ATK-TA0010 (2 not contributed yet)

Technique ID	Technique Name	Description
SAFE-T1913	HTTP POST Exfil	Use outbound web tool to POST to attacker server
SAFE-T1914	Tool-to-Tool Exfil	Chain two tools so second one emails data out

ATK-TA0011 (2 not contributed yet)

Technique ID	Technique Name	Description
SAFE-T1902	Covert Channel in Responses	Encode data in whitespace or markdown links returned to chat
SAFE-T1903	Malicious Server Control Channel	Attacker operates rogue server; every tool call doubles as heartbeat

ATK-TA0040 (1 not contributed yet)

Technique ID	Technique Name	Description
SAFE-T2104	Fraudulent Transactions	Payment-tool instructed to move funds

Completion Status by Tactic

Tactic	Completed	Total	Progress	Change Since Last Update
Reconnaissance	0	0	N/A	No change
Resource Development	1	1	✅ 100%	No change
Initial Access	6	8	🟡 75%	↑ +13% (SAFE-T1008 merged)
Execution	9	9	✅ 100%	No change
Persistence	5	8	🟡 62%	↑ +5%
Privilege Escalation	6	8	🟡 75%	↑ +13% (SAFE-T1307 merged)
Defense Evasion	2	8	🔴 25%	↑ +13% (SAFE-T1402 merged)
Credential Access	2	7	🔴 29%	↑ +15% (SAFE-T1503 merged)
Discovery	2	6	🟡 33%	Same % (SAFE-T1602 merged)
Lateral Movement	3	7	🟡 43%	No change
Collection	1	5	🔴 20%	↑ +20% (SAFE-T1801 merged)
Command and Control	1	4	🔴 25%	↑ +25% (SAFE-T1904 merged)
Exfiltration	2	6	🟡 33%	↑ +13% (SAFE-T1915 merged)
Impact	3	5	🟡 60%	↑ +40% (SAFE-T2102, SAFE-T2105 merged)
Overall	43	81	53%	↑ +4% coverage

Phase 3 – Research with LLMs

Large Language Models like ChatGPT, Claude, or Gemini are powerful research assistants. Here's how to use them effectively.

Crafting Effective Prompts

The quality of your research depends on asking the right questions. Use these prompt templates and adjust the placeholders.

Prompt Template 1: Initial Exploration

"I'm researching [ATTACK TYPE] in the context of Model Context Protocol (MCP) security. Can you explain:
1. What is [ATTACK TYPE] in general cybersecurity?
2. How could this attack be adapted to target MCP implementations?
3. What are the technical requirements for this attack?
4. What would be the potential impact on an MCP system?"

Example: "I'm researching prompt injection in the context of Model Context Protocol (MCP) security..."

Prompt Template 2: Technical Deep Dive

"For [ATTACK TECHNIQUE] targeting MCP systems:
1. Describe the step-by-step attack flow
2. What are the prerequisite conditions?
3. What system components are involved?
4. Provide a hypothetical example scenario
5. What would logs or traces of this attack look like?"

Prompt Template 3: Finding Mitigation Strategies

"What are the best practices to defend against [ATTACK TYPE] in MCP implementations?
Consider:
1. Preventive controls (stopping the attack before it happens)
2. Detective controls (identifying when an attack is occurring)
3. Response measures (what to do if an attack is detected)
4. Configuration hardening recommendations"

Prompt Template 4: Real-World Context

"Have there been any documented security incidents similar to [ATTACK TYPE] in:
1. API security
2. AI/ML systems
3. Middleware or protocol implementations
4. Related technologies (GraphQL, gRPC, REST APIs)

Provide specific examples with sources if available."

Validate Everything

LLMs can hallucinate or provide outdated information. ALWAYS verify their outputs. Here's how to validate what you learn:

✓ Credible Sources to Look For:

MITRE ATT&CK Framework (attack.mitre.org) – The gold standard for attack documentation
OWASP (owasp.org) – Web application security best practices
NIST Guidelines (nist.gov) – Government security standards
CVE Database (cve.mitre.org) – Known vulnerabilities
Security Researchers' Blogs – Posts from known experts in the field
Academic Papers – Peer-reviewed security research
Official Security Advisories – From software vendors and security teams

✗ Be Cautious With:

Random forums or Reddit posts without citations
Marketing materials that may exaggerate threats
Outdated content (check publication dates)
Claims without technical details or evidence

The Validation Process

Ask for sources: "Can you provide sources or references for this information?"
Cross-reference: Search for the same information in at least 2–3 credible sources
Check dates: Ensure information is current (MCP is relatively new, so recent sources are better)
Verify technical details: Confirm documentation or code examples back up the claims
Test feasibility: Does the attack make sense given how MCP actually works?

Example Research Workflow

Let's walk through researching "MCP Server Enumeration" as an example:

Step 1: Initial LLM Prompt

"I'm documenting a reconnaissance technique called 'MCP Server Enumeration' for the SAFE-MCP framework. This involves an attacker discovering available MCP servers, their capabilities, and versions. Can you explain:
1. How service enumeration works in general networking security
2. What information an MCP server exposes about itself
3. How an attacker could enumerate MCP servers
4. What risks this poses"

Step 2: Analyze LLM Response

The LLM might explain that MCP servers expose capabilities through their tool lists. Note key points:

Protocol handshake reveals server version
Tool listing exposes available functionality
Error messages may leak implementation details

Step 3: Verify with Official Sources

Check the MCP specification at modelcontextprotocol.io:

Confirm how server initialization works
Verify what information is exposed in the protocol
Check if there are authentication mechanisms

Step 4: Look for Real Examples

Search GitHub for MCP server implementations:

How do servers announce their capabilities?
What metadata is returned during connection?
Are there any privacy or security considerations mentioned?

Step 5: Document Your Findings

Now you have verified information to write your technique documentation!

Phase 4 – Document the Technique

Create Your Working Branch

Create a new branch for your work:

git checkout -b feat/add-technique-name

Find the next available technique ID in your chosen tactic (look at the README table).
Create a new folder in the techniques directory:

mkdir -p techniques/SAFE-T1XXX
cd techniques/SAFE-T1XXX

Structure Your Technique

Create a README.md file and follow the template below. It keeps every contribution consistent and review-friendly.

# SAFE-TXXXX: [Technique Name]

## Tactic

[Tactic Name] (ATK-TAXXX)

## Description

A clear, concise description of the attack technique.
Explain what the attack does and why it matters.

## How It Works

1. Step-by-step breakdown
2. Technical details
3. Prerequisites
4. Expected outcome

## Examples

Provide a realistic scenario:
"An attacker could..."

## Impact

- Confidentiality: [High/Medium/Low]
- Integrity: [High/Medium/Low]
- Availability: [High/Medium/Low]

Explain the potential consequences.

## Detection

How defenders can identify this attack:

- Log patterns to watch for
- Behavioral indicators
- Monitoring strategies

## Mitigation

How to prevent or minimize this attack:

1. Configuration hardening
2. Access controls
3. Input validation
4. Monitoring requirements

## References

- Link to MITRE ATT&CK technique (if applicable)
- Link to security advisories
- Link to technical documentation
- Link to research papers

## MITRE ATT&CK Mapping

ATT&CK Technique: [TXXXX - Technique Name]
ATT&CK Tactic: [Tactic Name]

Pro tip: Draft the description, "How It Works," and "Mitigation" sections first; they drive everything else.

Phase 5 – Submit and Collaborate

Update the Main README

Add your technique to the TTP reference table in the main README.md file:

Open README.md in your text editor
Find the table row for your tactic
Add a link to your technique in the appropriate cell
Update the statistics at the bottom (total techniques count)

Example table entry:

| ATK-TA0043 | Reconnaissance | [SAFE-T1301](/techniques/SAFE-T1301/README.md) | MCP Server Enumeration | Discover available MCP servers and their capabilities |

Commit and Push

Save your work to Git:

git add techniques/SAFE-T1XXX/
git add README.md
git commit -s -m "feat(SAFE-T1XXX): added [Technique Name]"
git push origin feat/add-technique-name

Create a Pull Request

Go to your fork on GitHub (github.com/YOUR-USERNAME/safe-mcp)
Click the "Compare & pull request" button that appears
Write a clear title: "Add SAFE-T1XXX: [Technique Name]"
In the description, explain:
- What attack technique you documented
- Why it's relevant to MCP security
- What research you conducted
- Any questions or areas where you'd like feedback
Click "Create pull request"

Engage in Review

Community members will review your PR. This is a learning opportunity!

Respond to feedback promptly and professionally
Ask questions if you don't understand a suggestion
Make requested changes by pushing new commits to your branch
Learn from the discussion – reviews help you grow!

Quality Checklist & Pro Tips

Before you hit "Create pull request," double-check the following:

☐ Technique ID matches the tactic and isn't already taken
☐ techniques/SAFE-TXXXX/README.md follows the template sections and headings
☐ Each claim is backed by at least one verifiable source
☐ Impact, Detection, and Mitigation sections list concrete actions or signals
☐ MITRE ATT&CK mapping is present (even if "Not Applicable")
☐ Main README.md references your new technique
☐ Every commit includes DCO sign-off (git commit -s)

Writing Quality Documentation

Be specific: Avoid vague terms like "could be exploited." Explain exactly how.
Use examples: Concrete scenarios help readers understand the attack.
Balance detail: Provide enough information to be useful, but stay focused.
Think defensively: Emphasize mitigations as much as attack vectors.
Cite sources: Always link to your references.

Common Pitfalls to Avoid

Relying solely on LLM output: Always verify with real sources.
Overly theoretical attacks: Focus on practical, exploitable vectors.
Ignoring mitigations: The defensive guidance is just as important.
Poor formatting: Follow the template structure.
Missing MITRE mapping: Link to ATT&CK when applicable.
Duplicate technique IDs: Always check for the next available ID.

Peer Review Best Practices

Reviewing others' PRs is equally valuable! When reviewing:

Be constructive: Suggest improvements, don't just criticize.
Test accuracy: Verify claims against sources.
Check completeness: Does it follow the template?
Look for clarity: Would a beginner understand this?
Acknowledge effort: Thank the contributor for their work.

Additional Resources

Official Documentation

SAFE-MCP Repository: github.com/SAFE-MCP/safe-mcp
MCP Specification: modelcontextprotocol.io
MITRE ATT&CK: attack.mitre.org

Security Research

OWASP: owasp.org
CVE Database: cve.mitre.org
NIST Cybersecurity: nist.gov/cyberframework

Community

AI Agents Community – Join our weekly hackathons
Linux Foundation bi-weekly Meeting – Every Monday at 1 PM
GitHub Discussions – Ask questions, share insights

You're Ready to Contribute!

You now have everything you need to make meaningful contributions to SAFE-MCP. Remember:

Start small – even documenting one technique is valuable
Ask questions – the community is here to help
Verify everything – quality over quantity
Engage with others – review PRs, share knowledge
Have fun – you're making the internet safer!

Join us at our weekly hackathons and let's build something great together!

━━━━━━━━━━━━━━━━━━━━━━━━━

Questions? Reach out to the SAFE-MCP community!

github.com/SAFE-MCP/safe-mcp