How VaultPlane Trust Scores Work

Why Trust Scores Matter

There are thousands of MCP servers available. Some are maintained by the companies that own the underlying service. Some are community projects by a single developer. Some haven't been updated in months.

When you are deciding which MCP server to connect to your AI agent — and by extension, your infrastructure — you need a way to evaluate trustworthiness quickly. That is what VaultPlane trust scores provide.

The Four Signals

Every trust score is a composite of four categories, each measuring a different aspect of reliability.

Verification (0-30 points)

Who vouches for this server?

• Enterprise Verified (30) — The service provider has verified this as their official MCP server
• Verified (20) — VaultPlane has reviewed and verified the server
• Community (10) — Listed in a recognized community registry
• Unverified (0) — No external verification

Verification is the strongest signal because it involves human review. An enterprise-verified server means the company behind the service (Stripe, GitHub, Salesforce) has confirmed this is their official integration.

Popularity (0-25 points)

Does the community trust this server?

Popularity is measured through three indicators:

• GitHub Stars — Direct signal of developer interest. Servers with 5,000+ stars get maximum points; even 10 stars indicates some community validation.
• Fork Count — Forks indicate active community involvement and the potential for maintained alternatives.
• Download Count — Actual usage is the strongest popularity signal. A server with 100,000+ downloads has been battle-tested by real users.

Popularity alone does not guarantee security — popular software can have vulnerabilities. But it does mean more eyes on the code and faster disclosure of issues.

Maintenance (0-25 points)

Is someone actively maintaining this server?

• Last Push Date — A repository with commits in the last 30 days scores highest. A repo untouched for a year scores near zero.
• Contributor Count — Servers maintained by a team of 20+ are more resilient than single-maintainer projects. A bus factor of one is a real risk.
• Archived Status — Archived repositories automatically score zero for maintenance. If the maintainer has explicitly stopped development, that is critical information.

Maintenance signals are especially important for security. Unmaintained servers do not get security patches. A vulnerability in a dependency will remain unpatched indefinitely.

Transparency (0-20 points)

Can you evaluate this server yourself?

• Open Source Repository — Can you read the code? Open source allows independent security review.
• Documentation — Does the server have documentation explaining its capabilities, permissions, and configuration?
• License — A clear open-source license (MIT, Apache 2.0) provides legal clarity and signals professional development practices.
• Permission Declarations — Does the server explicitly declare what permissions it needs and at what risk level?

Transparency enables informed decisions. A server that clearly declares it needs write access to your database is more trustworthy than one that is vague about its permissions — even if both request the same access.

Reading a Trust Score

Trust scores range from 0 to 100:

| Score | Label | What It Means | |-------|-------|---------------| | 80-100 | Excellent | Well-maintained, verified, popular, transparent | | 60-79 | Good | Solid on most signals, may lack verification or have lower popularity | | 40-59 | Fair | Some positive signals but notable gaps — investigate before deploying | | 0-39 | Limited | Minimal signals — high caution warranted |

A "Limited" score does not necessarily mean the server is dangerous. A brand-new server by a reputable company will start with a low score until it accumulates stars, downloads, and verification. But it does mean you should perform your own due diligence before deploying it.

Trust Scores Are a Starting Point

No automated score can replace a thorough security review for production deployments. Trust scores are designed to help you prioritize — spend your review time on servers that matter most, and flag servers that need closer inspection.

Every server on VaultPlane includes the full trust score breakdown on its detail page, so you can see exactly which signals are strong and which are missing.