Security Scores
3 min read
Every MCP server analyzed by MCP Hub receives an automated security score from 0 to 100. This score provides a single, comparable measure of the package’s overall security posture.
Overview
The security score is composed of three weighted components:
| Component | Weight | What It Measures |
|---|---|---|
| Security | 50% | Vulnerabilities found in the code |
| Supply Chain | 30% | Health of dependencies |
| Maturity | 20% | Code quality and project health |
Score Components
Security (50% weight)
The security component evaluates the code itself for vulnerabilities across 14 classes:
- Number and severity of findings (Critical, High, Medium, Low)
- Vulnerability classes detected (injection, data exfiltration, privilege escalation, insecure deserialization, etc.)
- Exploitability assessment
- Critical findings apply a heavy penalty to this component
A package with zero findings scores 100 on this component. Each finding reduces the score proportionally to its severity.
Supply Chain (30% weight)
The supply chain component evaluates dependencies:
- Known CVEs in direct and transitive dependencies
- Pinned vs. floating dependency versions (pinned versions score higher)
- Total number of transitive dependencies (fewer is better)
- Dependency freshness (outdated dependencies reduce the score)
Maturity (20% weight)
The maturity component evaluates project health signals:
- Code quality indicators
- Documentation presence
- Testing indicators
- Repository health (recent commits, issue responsiveness)
Score Calculation
Each component is independently scored from 0 to 100, then combined using the weighted formula:
Final Score = (Security x 0.50) + (Supply Chain x 0.30) + (Maturity x 0.20)
Example: A package with Security = 90, Supply Chain = 75, Maturity = 80 would receive:
(90 x 0.50) + (75 x 0.30) + (80 x 0.20) = 45 + 22.5 + 16 = 83.5 --> 84
Letter Grades
Scores map to letter grades for quick visual identification:
| Score Range | Grade | Color |
|---|---|---|
| 90 – 100 | A | Green |
| 80 – 89 | B | Green |
| 70 – 79 | C | Yellow |
| 60 – 69 | D | Yellow |
| 0 – 59 | F | Red |
Score Thresholds and Certification
Scores directly determine the maximum certification level a package can achieve:
| Threshold | Significance |
|---|---|
| >= 90 | Eligible for Level 3 certification (Runtime Certified, future) |
| >= 80 | Eligible for Level 2 certification (Security Certified) |
| >= 60 | Eligible for Level 1 certification (Static Verified) |
| < 60 | Level 0 only (Integrity Verified); --trust flag required to run without a policy override |
See Certification Levels for details on each tier.
Improving Your Score
If your MCP server has a low score, here are the most impactful actions you can take, ordered by effect:
- Fix reported security findings – This has the biggest impact since Security carries 50% of the weight. Address Critical and High severity findings first.
- Pin all dependency versions – Replace floating versions (e.g.,
^1.0.0) with exact pins (e.g.,1.0.2) to improve Supply Chain scoring. - Remove unused dependencies – Fewer dependencies means a smaller attack surface and fewer potential CVEs.
- Update outdated dependencies – Bring dependencies to their latest patched versions.
- Add tests and documentation – Improves the Maturity component.
- Re-scan after making changes – Push a new version or trigger a re-analysis to see your updated score.
Score Freshness
Scores are computed at the time of analysis and are associated with a specific version. When you publish a new version, it receives a fresh analysis and a new score. Previous version scores remain unchanged.