UniProt MCP Server

# Security Policy ## Supported Versions We release patches for security vulnerabilities. Currently supported versions: | Version | Supported | | ------- | ------------------ | | 0.1.x | :white_check_mark: | ## Reporting a Vulnerability The UniProt MCP team takes security bugs seriously. We appreciate your efforts to responsibly disclose your findings. ### How to Report a Security Vulnerability **Please do not report security vulnerabilities through public GitHub issues.** Instead, please report them via email to: 📧 **josepipe0909@gmail.com** Please include the following information: - Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.) - Full paths of source file(s) related to the manifestation of the issue - The location of the affected source code (tag/branch/commit or direct URL) - Any special configuration required to reproduce the issue - Step-by-step instructions to reproduce the issue - Proof-of-concept or exploit code (if possible) - Impact of the issue, including how an attacker might exploit it ### What to Expect - **Acknowledgment**: We will acknowledge your email within 48 hours - **Investigation**: We will investigate and validate the issue within 7 days - **Updates**: We will keep you informed about our progress - **Resolution**: We will work on a fix and coordinate the disclosure timeline with you ### Security Update Process 1. **Patch Development**: Security patches are developed privately 2. **Testing**: Patches are thoroughly tested before release 3. **Coordinated Disclosure**: We coordinate with you on disclosure timing 4. **Release**: Security updates are released as patch versions 5. **Advisory**: We publish a security advisory on GitHub ## Security Best Practices When using UniProt MCP Server: ### For Stdio Deployment - Run the server with minimal privileges - Avoid exposing stdio servers to untrusted networks - Validate all input from LLM agents ### For HTTP Deployment - Use HTTPS in production (reverse proxy with TLS) - Configure CORS appropriately (avoid wildcards in production) - Implement rate limiting at the reverse proxy level - Use authentication tokens for sensitive deployments - Monitor logs for suspicious activity - Keep dependencies up to date (`uv sync --upgrade`) ### API Token Security - Never commit API tokens to version control - Use environment variables for sensitive configuration - Rotate tokens regularly - Use least-privilege access principles ### Dependencies - We use `uv.lock` to pin all dependencies - We monitor dependencies for known vulnerabilities - Security updates are released promptly ## Security-Related Configuration ### Environment Variables The following environment variables affect security: ```bash # Limit concurrent requests (prevents resource exhaustion) UNIPROT_MAX_CONCURRENCY=8 # Configure CORS (restrict in production) MCP_CORS_ALLOW_ORIGINS=https://your-domain.com MCP_CORS_ALLOW_METHODS=GET,POST MCP_CORS_ALLOW_HEADERS=Content-Type,Authorization # Enable structured logging for audit trails UNIPROT_LOG_FORMAT=json UNIPROT_LOG_LEVEL=info ``` ### Rate Limiting Consider implementing rate limiting at your deployment layer: ```bash # Example: Using nginx limit_req_zone $binary_remote_addr zone=mcp:10m rate=10r/s; ``` ## Known Security Considerations ### Data Privacy - UniProt MCP fetches data from UniProt's public API - No user data is stored by this server - All UniProt data is subject to [UniProt's terms of use](https://www.uniprot.org/help/license) ### Network Security - The server makes outbound HTTPS requests to UniProt API - No inbound connections except for the HTTP transport endpoint - All UniProt API communications use TLS ### Input Validation - All tool inputs are validated using Pydantic models - UniProt API responses are defensively parsed - Malformed responses do not crash the server ## Vulnerability Disclosure Policy We follow coordinated vulnerability disclosure: 1. Security researchers privately report vulnerabilities 2. We work with researchers to validate and patch issues 3. We coordinate public disclosure timing 4. We credit researchers who report issues (unless they prefer anonymity) ## Hall of Fame We recognize security researchers who help us keep UniProt MCP Server secure: <!-- List will be added as researchers report issues --> *No reported vulnerabilities yet.* ## Security Audits - Last security review: October 2025 - No formal security audit has been conducted yet - Community security reviews are welcome ## Contact For security concerns: **josepipe0909@gmail.com** For general issues: [GitHub Issues](https://github.com/josefdc/Uniprot-MCP/issues) --- Thank you for helping keep UniProt MCP Server and its users safe!