We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| 0.1.x | β |
We take the security of MCP Manager seriously. If you discover a security vulnerability, please follow these steps:
DO NOT create a public GitHub issue for security vulnerabilities.
Instead, please report security vulnerabilities by:
-
Using GitHub's Security Advisory feature:
- Go to the Security Advisories page
- Click "Report a vulnerability"
- Fill in the details
-
Or email directly:
- Send an email to [security contact - to be added]
- Include "SECURITY" in the subject line
When reporting a vulnerability, please include:
- Description: A clear description of the vulnerability
- Impact: What an attacker could do with this vulnerability
- Affected versions: Which versions are affected
- Steps to reproduce: Detailed steps to reproduce the issue
- Proof of concept: If possible, provide a PoC
- Suggested fix: If you have ideas on how to fix it
- Acknowledgment: Within 48 hours
- Initial assessment: Within 7 days
- Status updates: Every 7 days until resolved
- Fix timeline: Varies based on severity (Critical: <7 days, High: <30 days, Medium: <90 days)
We appreciate responsible disclosure. With your permission, we'll acknowledge your contribution in:
- Release notes
- Security advisories
- Project documentation
When using MCP Manager:
- Keep Updated: Always use the latest version
- Review Configurations: Regularly audit agent configurations
- Limit Access: Run with minimal required permissions
- Monitor Logs: Check logs for suspicious activity
- Secure Deployments: Use HTTPS in production
- Container Security: Keep Docker images updated
MCP Manager includes:
- Dependency Scanning: Automated via Dependabot
- Code Scanning: CodeQL analysis on every commit
- Secure Defaults: Safe configuration out of the box
- Input Validation: Strict validation of all inputs
- Least Privilege: Runs with minimal required permissions
Thank you for helping keep MCP Manager and its users safe! π