SmartSuite MCP Server

# Security Policy ## Supported Versions We actively support the following versions with security updates: | Version | Supported | | ------- | ------------------ | | 1.x.x | :white_check_mark: | | < 1.0 | :x: | ## Reporting a Vulnerability We take the security of SmartSuite MCP Server seriously. If you discover a security vulnerability, please follow these steps: ### How to Report **Please DO NOT create a public GitHub issue for security vulnerabilities.** Instead, please report security vulnerabilities by emailing: **security@eavcreativesolutions.com** (or update with your actual security contact) ### What to Include Please include the following information in your report: - **Description**: A detailed description of the vulnerability - **Impact**: The potential impact if exploited - **Steps to Reproduce**: Clear steps to reproduce the vulnerability - **Version**: The version of SmartSuite MCP Server affected - **Environment**: OS, Node.js version, and any relevant configuration - **Proof of Concept**: If applicable, include a minimal proof of concept - **Suggested Fix**: If you have ideas for how to fix the vulnerability ### Response Timeline We will acknowledge receipt of your vulnerability report within **48 hours** and aim to provide a detailed response within **7 days**, including: - Confirmation of the vulnerability - Our assessment of severity and impact - Estimated timeline for a fix - Any workarounds or mitigations available ### Security Update Process 1. **Triage**: We assess the severity and impact of the reported vulnerability 2. **Fix Development**: We develop and test a fix in a private branch 3. **Security Advisory**: We prepare a security advisory (if warranted) 4. **Release**: We release a patched version and publish the advisory 5. **Disclosure**: After users have had time to update, we publicly disclose details ### Safe Harbor We support security researchers who follow responsible disclosure practices: - Make a good faith effort to avoid privacy violations, data destruction, and service disruption - Give us reasonable time to address vulnerabilities before public disclosure - We will not pursue legal action against researchers who follow these guidelines ### Security Best Practices When deploying SmartSuite MCP Server: 1. **Environment Variables**: Never commit `.env` files or expose credentials 2. **API Keys**: Rotate SmartSuite API keys regularly 3. **Updates**: Keep dependencies up to date (run `npm audit` regularly) 4. **Network**: Deploy behind a firewall or API gateway when possible 5. **Monitoring**: Enable audit logging for production deployments 6. **Dry-Run Mode**: Always test mutations with `dry_run: true` first ### Known Security Considerations - **API Key Storage**: SmartSuite API keys are stored in environment variables only - **Input Validation**: All user inputs are validated using Zod schemas - **Rate Limiting**: API rate limiting is handled by error responses (HTTP 429) - **Data Sanitization**: Field values are sanitized before SmartSuite API calls ### Security Contact For general security questions or concerns: - Email: security@eavcreativesolutions.com (update with your contact) - GitHub: Open a discussion in the repository (for non-sensitive questions) ### Hall of Fame We recognize and thank security researchers who have helped improve our security: - (No reports yet - be the first!) --- **Last Updated**: 2025-11-11