We release patches for security vulnerabilities for the following versions:

We take the security of Research MCP Server seriously. If you believe you have found a security vulnerability, please report it to us as described below.

• Do not open a public GitHub issue for security vulnerabilities
• Do not disclose the vulnerability publicly until it has been addressed
• Do not attempt to exploit the vulnerability beyond confirming it exists

Email: Create a GitHub Security Advisory at https://github.com/benjaminfh/research-mcp/security/advisories/new

Include in your report:

1. Description of the vulnerability
2. Steps to reproduce the issue
3. Potential impact of the vulnerability
4. Suggested fix (if you have one)
5. Your contact information for follow-up

• Acknowledgment within 48 hours of your report
• Regular updates on our progress
• Credit for the discovery (if you wish) when we release a fix
• Timeline for when a patch will be available

• We will work with you to understand and resolve the issue quickly
• We will keep you informed of our progress
• We will credit you for responsible disclosure (unless you prefer to remain anonymous)
• We will release a security advisory once the issue is resolved

When deploying Research MCP Server, follow these security best practices:

• Use JWT authentication for production HTTP deployments
• Generate strong secrets (32+ characters)

  python -m auth.jwt_token generate-secret

• Store secrets securely (environment variables, not in code)
• Rotate tokens regularly (every 90 days recommended)

• Use HTTPS for all production deployments
• Configure firewalls to restrict access to the MCP port
• Use VPNs or IP whitelisting for internal deployments
• Never expose development servers to the public internet

• Never commit .env or .env.server files
• Restrict file permissions on configuration files (600 or 644)
• Use separate secrets for development and production
• Audit environment variables regularly

• Set appropriate file permissions on SQLite database

  chmod 644 /path/to/papers.db

• Backup regularly with encrypted backups
• Store in secure locations with restricted access

• Validate PDF sources before downloading
• Scan downloaded files for malware if needed
• Limit storage space to prevent disk exhaustion
• Monitor for suspicious patterns in PDF requests

• Run service as non-root user (use mcp user in production)
• Keep dependencies updated

  pip install --upgrade -r requirements.txt

• Monitor logs for suspicious activity
• Use systemd hardening options when available

[Service]
User=mcp
Group=mcp
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/opt/mcp-data

• PDF processing uses third-party libraries (Docling, PyTorch)
• Malicious PDFs could potentially exploit vulnerabilities in these libraries
• Recommendation: Run in isolated environment or container

• This server requires API keys for various services
• Keys should be treated as sensitive credentials
• Use environment variables, never hardcode in source

• The server makes outbound requests to paper repositories
• Ensure your network policies allow these connections
• Consider using a proxy for additional security

We use pip for dependency management. To check for known vulnerabilities:

# Install safety
pip install safety

# Check dependencies
safety check -r requirements.txt

• Security updates will be released as patch versions (x.x.X)
• Critical vulnerabilities will be announced via GitHub Security Advisories
• Subscribe to repository notifications to receive security alerts

For security-related questions or concerns, please use the reporting process above rather than opening public issues.

Thank you for helping keep Research MCP Server and its users safe!