HackerNews MCP Server

# Security Policy ## Supported Versions We take security seriously. The following versions of the HackerNews MCP Server are currently supported with security updates: | Version | Supported | | ------- | ------------------ | | 1.x.x | :white_check_mark: | | < 1.0 | :x: | ## Reporting a Vulnerability If you discover a security vulnerability in this project, please report it responsibly. We appreciate your help in keeping our users safe. ### How to Report **Please do NOT report security vulnerabilities through public GitHub issues.** Instead, please report security vulnerabilities by emailing: - **Email**: [INSERT SECURITY EMAIL OR USE GITHUB SECURITY ADVISORIES] - **Subject**: `[SECURITY] Vulnerability in hn-mcp-server` You can also use [GitHub Security Advisories](https://github.com/sam3690/Hackernews_mcp/security/advisories) to report vulnerabilities privately. ### What to Include When reporting a vulnerability, please include: 1. **Description**: A clear description of the vulnerability 2. **Steps to Reproduce**: Detailed steps to reproduce the issue 3. **Impact**: Potential impact and severity of the vulnerability 4. **Environment**: Your environment details (OS, Node.js version, etc.) 5. **Proof of Concept**: If possible, include a proof of concept 6. **Suggested Fix**: Any suggestions for fixing the vulnerability (optional) ### Response Timeline We will acknowledge your report within **48 hours** and provide a more detailed response within **7 days** indicating our next steps. We will keep you informed about our progress throughout the process of fixing the vulnerability. ### Disclosure Policy - We follow a **90-day disclosure timeline** from the initial report - We will credit you (if desired) in our security advisory - We will not disclose vulnerability details until a fix is available - We may delay disclosure for critical infrastructure vulnerabilities ## Security Considerations ### For Users - Keep your Node.js version up to date - Regularly update the MCP server to the latest version - Be cautious with API keys and credentials - Use HTTPS when possible - Monitor your logs for suspicious activity ### For Contributors - All code changes are reviewed for security implications - Dependencies are regularly audited using `npm audit` - Security tests are included in the test suite - Code follows security best practices ### API Security This MCP server interacts with the Hacker News API: - **Rate Limiting**: Respects HN API limits (10,000 requests/hour) - **No Authentication**: HN API is public and doesn't require authentication - **Data Privacy**: Only processes public HN data - **HTTPS Only**: All API calls use HTTPS ## Security Updates Security updates will be: 1. **Released as patches** with minimal delay 2. **Documented in CHANGELOG.md** 3. **Tagged with security advisories** 4. **Communicated through GitHub releases** ## Contact For security-related questions or concerns: - **Security Issues**: Use the reporting process above - **General Questions**: [GitHub Issues](https://github.com/sam3690/Hackernews_mcp/issues) - **Discussions**: [GitHub Discussions](https://github.com/sam3690/Hackernews_mcp/discussions) Thank you for helping keep the HackerNews MCP Server and its users secure! 🔒