PostgreSQL MCP AllAccess

# Security Policy ## Supported Versions | Version | Supported | | ------- | ------------------ | | 0.1.x | :white_check_mark: | ## Reporting a Vulnerability **Please do not report security vulnerabilities through public GitHub issues.** Instead, please report them privately via: 1. **GitHub Security Advisories** (Preferred) - Go to: https://github.com/yty-build/postgres_mcp_allaccess/security/advisories - Click "Report a vulnerability" - Provide detailed information 2. **Direct Email** - Email: yt@gmail.com - Subject: [SECURITY] Brief description - Include: - Description of the vulnerability - Steps to reproduce - Potential impact - Suggested fix (if any) ## Response Timeline - **Acknowledgment**: Within 48 hours - **Initial Assessment**: Within 7 days - **Fix Development**: Depends on severity - **Public Disclosure**: After patch is released ## Security Best Practices ### For Users 1. **Never commit secrets** - Use `.env` files (gitignored) - Use AWS Secrets Manager for production - Rotate credentials regularly 2. **Use latest version** - Update to patched versions immediately - Monitor security advisories 3. **Secure your deployment** - Use HTTPS for SSE transport - Restrict network access to MCP server - Use PostgreSQL SSL connections 4. **Audit your configuration** - Review `.gitignore` includes `.env`, `*.log`, `*.ini` - Never expose port 3000 publicly without authentication - Use read-only database users when possible ### For Contributors 1. **Code review requirements** - All PRs reviewed for security issues - No hardcoded credentials in code - Input validation for user-provided data 2. **Dependency management** - Keep dependencies updated - Review dependency security advisories - Pin versions in production 3. **Secure defaults** - Fail closed on errors - Minimal permissions by default - Clear error messages without sensitive data ## Known Security Considerations ### Credential Management **✅ SAFE:** - AWS secret **names** (e.g., `postgres/dev/db`) - Database hostnames (e.g., `mydb.rds.amazonaws.com`) - Configuration structure **❌ NEVER COMMIT:** - AWS access keys (`AKIA...`) - PostgreSQL passwords - Database connection strings with credentials - `.env` files - Log files ### Connection Security - **PgBouncer passwords**: Stored in `/etc/pgbouncer/userlist.txt` (inside container only) - **AWS credentials**: Passed via environment variables, not stored - **PostgreSQL connections**: Support SSL/TLS (set `server_tls_sslmode=require`) ### Docker Security - Container runs as non-root where possible - No privileged mode required - Secrets passed via environment variables (Docker secrets recommended for production) - Health checks don't expose sensitive data ## Security Features ### Automatic Password Rotation - Detects AWS RDS password rotation automatically - Updates both MCP and PgBouncer passwords - Zero downtime during rotation - No manual intervention needed ### Connection Pooling - Global pool prevents connection exhaustion attacks - Configurable timeouts prevent hung connections - Transaction-level pooling isolates sessions ### Access Control - Read-only mode supported (`POSTGRES_ACCESS_MODE=read_only`) - Schema-level permissions enforced by PostgreSQL - Query timeout prevents runaway queries ## Vulnerability Disclosure Policy We follow responsible disclosure: 1. **Private reporting**: Security researchers report privately 2. **Acknowledgment**: We confirm receipt and validity 3. **Fix development**: We develop and test fix 4. **Coordinated release**: We notify reporter before public release 5. **Public disclosure**: CVE assigned, advisory published 6. **Credit given**: Reporter acknowledged (if desired) ## Security Hall of Fame We recognize security researchers who help improve our security: <!-- Contributors who report valid security issues will be listed here --> *Be the first to contribute!* ## Additional Resources - [OWASP Top 10](https://owasp.org/www-project-top-ten/) - [PostgreSQL Security Best Practices](https://www.postgresql.org/docs/current/security.html) - [Docker Security](https://docs.docker.com/engine/security/) ## Contact For non-security issues, please use: - GitHub Issues: https://github.com/yty-build/postgres_mcp_allaccess/issues - Discussions: https://github.com/yty-build/postgres_mcp_allaccess/discussions