PAL MCP Server

9,910

pal-mcp-server

SECURITY.md•3.37 kB

# Security Policy ## Supported Versions | Version | Supported | | ------- | ------------------ | | 9.x.x | :white_check_mark: | | < 9.0 | :x: | ## Important Disclaimer PAL MCP is an open-source Model Context Protocol (MCP) server that acts as middleware between AI clients (Claude Code, Codex CLI, Cursor, etc.) and various AI model providers. **Please understand the following:** - **No Warranty**: This software is provided "AS IS" under the Apache 2.0 License, without warranties of any kind. See the [LICENSE](LICENSE) file for full terms. - **User Responsibility**: The AI client (not PAL MCP) controls tool invocations and workflows. Users are responsible for reviewing AI-generated outputs and actions. - **API Key Security**: You are responsible for securing your own API keys. Never commit keys to version control or share them publicly. - **Third-Party Services**: PAL MCP connects to external AI providers (Google, OpenAI, Azure, etc.). Their terms of service and privacy policies apply to data sent through this server. ## Reporting a Vulnerability **Please do not report security vulnerabilities through public GitHub issues.** ### Preferred Method Use [GitHub Security Advisories](https://github.com/BeehiveInnovations/pal-mcp-server/security/advisories/new) to report vulnerabilities privately. ### What to Include - Description of the vulnerability - Steps to reproduce - Affected versions - Potential impact - Suggested fix (optional) ### What to Expect - We will acknowledge your report and assess the issue - Critical issues will be prioritized - We'll keep you informed of progress as work proceeds We cannot commit to specific response timelines, but we take security seriously. ### After Resolution We welcome security researchers to submit a pull request with the fix. This is an open-source project and we appreciate community contributions to improve security. ## Disclosure Policy We practice coordinated disclosure. Please allow reasonable time to address issues before public disclosure. We'll work with you on timing. ## Scope ### In Scope - Authentication/authorization bypasses - Injection vulnerabilities (command injection, prompt injection with security impact) - Information disclosure (API keys, sensitive data leakage) - Denial of service vulnerabilities in the MCP server itself - Dependency vulnerabilities with exploitable impact ### Out of Scope - Issues in upstream AI providers (report to Google, OpenAI, etc. directly) - Issues in AI client software (report to Anthropic, OpenAI, Cursor, etc.) - AI model behavior or outputs (this is controlled by the AI client and model providers) - Social engineering attacks - Rate limiting or resource exhaustion on third-party APIs ## Security Best Practices for Users 1. **Protect API Keys**: Store keys in `.env` files (gitignored) or environment variables 2. **Review AI Actions**: Always review AI-suggested code changes before applying 3. **Use Local Models**: For sensitive codebases, consider using Ollama with local models 4. **Network Security**: When self-hosting, ensure appropriate network controls 5. **Keep Updated**: Regularly update to the latest version for security fixes ## Recognition We appreciate responsible disclosure and will credit security researchers in release notes (unless you prefer anonymity).

Latest Blog Posts

The 50MB Markdown Files That Broke Our Server
By punkpeye on December 3, 2025.
react
react-router
node-js
OpenTelemetry for Model Context Protocol (MCP) Analytics and Agent Observability
By Om-Shree-0709 on November 29, 2025.
observability
mcp
opentelemetry
Securing Enterprise AI Agents with Unique Identities in the Model Context Protocol (MCP)
By Om-Shree-0709 on November 27, 2025.

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/BeehiveInnovations/pal-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server