# Security Policy
## Supported Versions
| Version | Supported |
|---------|-----------|
| 0.14.x | ✅ |
| < 0.14 | ❌ |
## Reporting a Vulnerability
Please **do not** open a public GitHub issue for security vulnerabilities.
Instead, use GitHub's private vulnerability reporting:
**[Report a vulnerability](https://github.com/sooperset/mcp-atlassian/security/advisories/new)**
We will acknowledge your report within **72 hours** and work with you on a coordinated disclosure.
## Response Timeline
- **72 hours**: Initial acknowledgment of your report
- **7 days**: Assessment and initial response
- **30 days**: Target for patch release (if applicable)
## Best Practices
1. **API Tokens**
- Never commit tokens to version control
- Rotate tokens regularly
- Use minimal required permissions
2. **Environment Variables**
- Keep .env files secure and private
- Use separate tokens for development/production
3. **Access Control**
- Regularly audit Confluence space access
- Follow principle of least privilege
4. **OAuth Client Credentials**
- Never share your client secret publicly
- Be aware that printing client secrets to console output poses a security risk
- Console output can be logged, screen-captured, or viewed by others with access to your environment
- If client secrets are exposed, regenerate them immediately in your Atlassian developer console
- Consider using environment variables or secure credential storage instead of direct console output
