Smart Code Search MCP Server

# Security Policy ## Supported Versions We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating: | Version | Supported | | ------- | ------------------ | | 1.0.x | :white_check_mark: | | < 1.0 | :x: | ## Reporting a Vulnerability We take the security of SCS-MCP seriously. If you have discovered a security vulnerability in our project, please report it to us as described below. ### Reporting Process **Please do not report security vulnerabilities through public GitHub issues.** Instead, please report them via one of the following methods: 1. **Email**: Send details to `security@stevenjjobson.com` (or via GitHub Security Advisory) 2. **GitHub Security Advisory**: Create a private security advisory on GitHub: - Go to the Security tab of the repository - Click on "Report a vulnerability" - Fill out the form with details ### What to Include Please include the following information to help us triage your report quickly: - **Type of issue** (e.g., buffer overflow, SQL injection, cross-site scripting, etc.) - **Full paths of source file(s)** related to the manifestation of the issue - **Location** of the affected source code (tag/branch/commit or direct URL) - **Special configuration** required to reproduce the issue - **Step-by-step instructions** to reproduce the issue - **Proof-of-concept or exploit code** (if possible) - **Impact** of the issue, including how an attacker might exploit it ### What to Expect - **Acknowledgment**: We will acknowledge receipt of your vulnerability report within 48 hours - **Communication**: We will keep you informed about the progress of addressing the vulnerability - **Fix Timeline**: We aim to provide a fix within 30 days, depending on complexity - **Disclosure**: We will coordinate with you on the disclosure timeline ## Security Best Practices When using SCS-MCP, please follow these security best practices: ### API Keys and Credentials - **Never commit API keys** or credentials to the repository - Use environment variables or `.env` files (which are gitignored) - Rotate credentials regularly - Use minimal permission scopes ### Code Indexing - Be aware that indexed code is stored in a local SQLite database - The database may contain sensitive code snippets - Ensure proper file permissions on `.claude-symbols/` directory - Don't share the index database publicly ### MCP Server Configuration - Run the MCP server only on trusted networks - Don't expose the MCP server directly to the internet - Use proper authentication if extending the server - Regularly update dependencies ### Voice Assistant - The voice assistant runs a local web server - Keep it bound to localhost (127.0.0.1) only - If using ElevenLabs API, secure your API key - Be cautious with voice commands that execute code ## Security Features SCS-MCP includes several security features: 1. **Input Sanitization**: All user inputs are sanitized before processing 2. **SQL Injection Protection**: Uses parameterized queries throughout 3. **Path Traversal Prevention**: File access is restricted to project boundaries 4. **Dependency Scanning**: Regular updates and vulnerability scanning 5. **Safe Defaults**: Secure configuration out of the box ## Vulnerability Disclosure Policy We follow a coordinated disclosure process: 1. **Reporter submits** vulnerability details privately 2. **We validate** and assess the impact 3. **We develop** and test a fix 4. **We release** the fix and update documentation 5. **We publicly disclose** the vulnerability details (credited to reporter if desired) ## Security Updates Security updates will be released as: - **Critical**: Immediate patch release - **High**: Within 7 days - **Medium**: Within 30 days - **Low**: Next regular release Subscribe to our security announcements: - Watch the repository for releases - Check our CHANGELOG.md for security notes ## Contact For any security-related questions or concerns, contact: - Security Email: `security@stevenjjobson.com` - Project Maintainers: See [MAINTAINERS.md](MAINTAINERS.md) ## Recognition We would like to thank the following individuals for responsibly disclosing security issues: <!-- Add contributors here as issues are reported and fixed --> - *Your name could be here!* --- **Last Updated**: January 2024 **Next Review**: April 2024