We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| 0.8.x | ✅ |
| < 0.8 | ❌ |
We take the security of math-mcp-learning-server seriously. If you discover a security vulnerability, please follow these steps:
Please do not report security vulnerabilities through public GitHub issues.
Send details to: hugues+mcp-security@linux.com
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Initial Response: Within 48 hours
- Status Update: Within 5 business days
- Fix Timeline: Depends on severity
- Critical: Within 7 days
- High: Within 14 days
- Medium: Within 30 days
- Low: Next regular release
- We will acknowledge receipt of your vulnerability report
- We will provide regular updates on our progress
- We will notify you when the vulnerability is fixed
- We will publicly disclose the vulnerability after a fix is released
- We will credit you for the discovery (unless you prefer to remain anonymous)
This project implements several security measures:
- Restricted
eval()with whitelisted functions only - No access to dangerous built-ins or imports
- Security logging for suspicious attempts
- Controlled execution environment
- All tool inputs validated with Pydantic models
- Type checking enforced
- Structured error handling without exposing sensitive information
- Workspace operations restricted to designated directory
- Cross-platform path handling
- Atomic file operations with proper locking
- Regular dependency updates via Dependabot
- Minimal dependency footprint (core uses stdlib only)
- Security scanning in CI/CD pipeline
- Server code vulnerabilities
- Expression evaluation bypass
- File system access violations
- Dependency vulnerabilities
- Authentication/authorization issues (if applicable)
- Issues in third-party MCP clients
- User configuration errors
- Network security (users are responsible for their deployment)
- Denial of Service attacks against public cloud deployment
Security updates will be released as:
- Patch versions for non-breaking security fixes (0.8.x)
- Minor versions if breaking changes are necessary (0.9.0)
Subscribe to releases on GitHub to receive security notifications.
This project is designed for educational purposes and demonstrates security best practices:
- Safe expression evaluation patterns
- Input validation with Pydantic
- Secure file operations
- Security logging and monitoring
Students and learners should study the security implementations as examples of defensive programming.
For security concerns: hugues+mcp-security@linux.com For general questions: Open a GitHub issue or discussion