The Model Context Protocol is rewriting how AI agents interact with the world. Thousands of MCP servers now expose tools, data sources, and integrations that autonomous agents rely on for everything from code generation to financial transactions. The ecosystem is growing faster than anyone predicted. The security research keeping pace with it is not.

Traditional CVE databases and vulnerability research programs were built for operating systems, web frameworks, and network protocols. They were not built for a protocol where a single misconfigured server can give an AI agent unrestricted access to a production database, or where a prompt injection vulnerability in one tool can cascade through an entire agent workflow. MCP servers represent a fundamentally new attack surface, and the security research community has not yet caught up.

That is why we built Touchstone.

"You cannot secure what you have not researched. Touchstone exists to make sure the MCP ecosystem does not repeat the mistakes of every platform that shipped first and asked security questions later."

Why MCP Needs Its Own CVE Research

When a vulnerability is discovered in Apache, OpenSSL, or the Linux kernel, there is a well-established pipeline for disclosure, tracking, and remediation. CVE identifiers are assigned. NVD entries are created. Scanners are updated. Patches are published. The infrastructure took decades to build, but it works.

MCP servers have none of this. A typical MCP server is a small, independently maintained project -- often a single developer wrapping an API in the MCP protocol and publishing it to a registry. There is no coordinated vulnerability disclosure process. There is no centralized advisory database. There is no scanning infrastructure designed to identify the specific vulnerability classes that matter in the MCP context: injection vectors that exploit the boundary between natural language and tool invocation, authentication schemes that assume a human is on the other end, data exfiltration paths that are invisible because the agent itself is the exfiltration mechanism.

The result is an ecosystem where thousands of servers are deployed in production with no systematic security review. Agents connect to them based on functionality alone. Developers trust them because they work, not because anyone has verified they are safe.

This is the gap Touchstone fills.

What Touchstone Is

Touchstone is CraftedTrust's dedicated CVE research engine for the MCP ecosystem. It is three things in one:

Touchstone is not a one-time audit tool. It runs continuously across every server indexed by MCP Shield, rescanning as servers are updated and new servers are added to the registry. Security is not a point-in-time assessment. It is an ongoing process, and Touchstone is built to operate that way.

The 90-Day Responsible Disclosure Pipeline

Finding vulnerabilities is only half the job. How you handle them defines whether you are a security research operation or a liability. Touchstone follows a strict 90-day responsible disclosure pipeline modeled on the practices established by Google's Project Zero and adopted by the broader security research community.

The pipeline works in four stages:

Stage 1: Discovery and Verification

When Touchstone's automated scanners flag a potential vulnerability, the finding is verified manually before any disclosure begins. False positives are eliminated. Severity is assessed. The potential impact in real-world agent deployments is evaluated. Only confirmed, reproducible vulnerabilities proceed to disclosure.

Stage 2: Private Disclosure

The server maintainer is contacted privately with a detailed vulnerability report. The report includes the vulnerability class, reproduction steps, severity assessment, and recommended remediation. The maintainer receives full technical details needed to understand and fix the issue.

Stage 3: The 90-Day Window

From the date of private disclosure, the maintainer has 90 days to develop and release a patch. During this window, Touchstone does not publish any details about the vulnerability. Trust scores in MCP Shield are not affected. The goal is to give maintainers -- many of whom are individual developers or small teams -- adequate time to respond without creating public pressure.

If a maintainer releases a patch before the 90-day window closes, Touchstone publishes the advisory immediately after the fix is available, giving downstream users the information they need to update.

Stage 4: Public Advisory

After 90 days, or after a patch is released -- whichever comes first -- Touchstone publishes a full advisory. The advisory is structured and machine-readable, allowing automated systems to consume it. At this point, MCP Shield trust scores are updated to reflect the finding and its remediation status.

If a maintainer does not respond or does not patch within 90 days, the advisory is published regardless. This is consistent with industry-standard responsible disclosure practices. The 90-day window is generous, but it is not indefinite. Users deserve to know about vulnerabilities in the tools their agents depend on.

What Touchstone Scans For

Generic vulnerability scanners are not sufficient for MCP. The protocol introduces vulnerability classes that do not exist in traditional web applications or APIs. Touchstone's scanning engine is designed around five primary categories:

Authentication and Authorization Weaknesses

Many MCP servers ship with no authentication at all, or with authentication schemes that assume a human user rather than an autonomous agent. Touchstone identifies servers with missing authentication, weak token handling, overly permissive authorization scopes, and authentication bypasses that arise from the mismatch between human-designed auth flows and agent-driven access patterns.

Injection Vectors

Prompt injection is the defining vulnerability class of the AI era, but in the MCP context it takes specific forms. Touchstone scans for tool description injection, where malicious content in a tool's metadata can manipulate agent behavior. It scans for parameter injection, where tool inputs are constructed from untrusted natural language without proper sanitization. And it scans for cross-tool injection, where the output of one tool is used as input to another without validation, creating injection chains that span multiple servers.

Data Exfiltration Paths

In a traditional application, data exfiltration requires an attacker to establish an outbound channel. In the MCP ecosystem, the agent itself can be the exfiltration mechanism. A compromised or malicious tool can instruct the agent to include sensitive data in subsequent tool calls to other servers. Touchstone maps these potential exfiltration paths by analyzing tool permissions, data flow patterns, and the interaction surfaces between tools on the same agent.

Dependency Vulnerabilities

MCP servers are software, and like all software, they depend on third-party libraries and packages. Touchstone performs deep dependency analysis, identifying known CVEs in the dependency tree, flagging unmaintained or abandoned dependencies, and detecting dependency confusion risks where a server might pull a malicious package from a public registry instead of an intended private one.

Misconfigurations

The most common security issues in MCP servers are not code vulnerabilities -- they are configuration mistakes. Overly broad tool permissions. Debug endpoints left enabled in production. Default credentials. CORS policies that allow any origin. Transport configurations that do not enforce TLS. Touchstone maintains a comprehensive misconfiguration ruleset that is updated as new deployment patterns emerge in the ecosystem.

How Touchstone Feeds Back Into MCP Shield

Touchstone does not operate in isolation. Every finding feeds directly into the MCP Shield trust scoring system, creating a closed loop between vulnerability research and trust assessment.

When a Touchstone advisory is published, the affected server's trust score is recalculated immediately. The severity of the vulnerability, whether a patch is available, and how quickly the maintainer responded all factor into the updated score. Servers that demonstrate a pattern of responsive, timely patching see their scores recover. Servers with unpatched critical vulnerabilities see significant score reductions that persist until remediation is confirmed.

This integration means that any agent or enterprise using MCP Shield for trust-gated connections -- as described in the Agent Trust Stack -- automatically benefits from Touchstone's research. No additional integration is required. The trust scores already incorporate vulnerability intelligence, and they update in real time as new findings are published.

For enterprises using the AgentGov dashboard, Touchstone findings also trigger risk alerts. If an agent in your fleet is connected to a server with a newly published Touchstone advisory, you receive an alert with the advisory details, remediation guidance, and the option to enforce a connection block until the issue is resolved.

The Astrix Parallel

If this approach sounds familiar, it should. Astrix Security built its reputation by conducting systematic vulnerability research across SaaS platforms -- finding and responsibly disclosing vulnerabilities in OAuth implementations, API integrations, and third-party app ecosystems that no one else was looking at. Their research did not just fix individual bugs. It raised the security bar for the entire SaaS ecosystem by demonstrating that these integration points were a real attack surface that demanded dedicated attention.

Touchstone follows the same model for MCP. The MCP ecosystem today is where SaaS integrations were five years ago: widely deployed, deeply trusted, and almost entirely unaudited from a security perspective. The vulnerability classes are different -- prompt injection instead of OAuth token theft, tool description manipulation instead of SAML assertion forgery -- but the structural problem is identical. A rapidly growing ecosystem of interconnected services with no dedicated security research program.

The Astrix model proved that systematic, responsible vulnerability research does not just find bugs. It creates accountability. It establishes best practices. It gives maintainers the information they need to build more secure software. And it gives users the confidence that someone is looking.

Touchstone exists to provide that same accountability for MCP.

Beyond Scoring: CraftedTrust as a Security Research Authority

Trust scoring is where CraftedTrust started. MCP Shield evaluates servers against a 12-factor framework and produces a quantified trust score. That is valuable, and it remains the foundation of everything we do. But scoring alone is not enough.

A trust score tells you how a server looks today against a set of static criteria. Touchstone tells you what is actually wrong -- what specific vulnerabilities exist, how they can be exploited, and what needs to be done to fix them. It is the difference between a credit score and a forensic audit. Both are useful. Both serve different purposes. Together, they provide a level of security assurance that neither can deliver alone.

With Touchstone, CraftedTrust is not just a scoring platform. It is a multi-service trust platform with a dedicated security research operation, a responsible disclosure pipeline, a growing advisory database, and downstream integrations into certification, governance, and registry workflows. This is what it takes to be a genuine trust authority in the MCP ecosystem -- not just measuring trust, but actively working to improve it.

What Comes Next

Touchstone is operational today and actively scanning the MCP server landscape. The first advisories have been published through the responsible disclosure pipeline, and the findings are already reflected in MCP Shield trust scores across the registry.

As the MCP ecosystem matures, Touchstone will evolve with it. New vulnerability classes will emerge as agents take on more complex workflows and connect to more sensitive systems. New scanning techniques will be needed as server architectures evolve. And the advisory database will grow into a comprehensive, searchable record of MCP-specific security intelligence that the entire ecosystem can rely on.

If you are building MCP servers, deploying agents in production, or responsible for the security of systems that interact with the MCP ecosystem, Touchstone is working on your behalf. Every scan, every advisory, and every trust score update makes the ecosystem a little more transparent and a little more secure.

Explore Touchstone findings at touchstone.craftedtrust.com and the full CraftedTrust platform at craftedtrust.com/platform.