Skip to content

Security: gnlds/mcp-cve-intelligence-server-lite

Security

Report a vulnerability

SECURITY.md

Security Policy

Supported Versions

Version Supported
1.x.x
0.x.x

Reporting a Vulnerability

If you discover a security vulnerability, please report it responsibly:

For Critical Security Issues

  • DO NOT create a public GitHub issue
  • Contact via GitHub: Send a private message to @gnlds
  • Alternative: Create a private security advisory (see instructions below)
  • Expected response time: 48 hours
  • We will work with you to assess and address the issue

How to Report Privately via GitHub

  1. Direct Message: Click on the maintainer's profile @gnlds and look for contact options
  2. Security Advisory: Go to the repository's Security tab → "Report a vulnerability" → Create private security advisory
  3. Email Alternative: If GitHub messaging isn't available, create a public issue with minimal details and request private communication

For General Security Concerns

  • Create a GitHub issue with the security label
  • Provide detailed information about the concern
  • We will triage and respond within 7 days

Security Features

Release Process Security

  • Approval Gates: All production releases require maintainer approval
  • Permission Checks: Only users with write/maintain/admin access can approve releases
  • Audit Trail: All release approvals are tracked via GitHub issues and Actions
  • Emergency Override: Available for critical security patches (maintainers only)

Build Security

  • Provenance: NPM packages include provenance attestation
  • SBOM: Software Bill of Materials included with releases
  • Multi-platform: Builds are verified across multiple architectures
  • Dependency Scanning: Automated vulnerability scanning in CI/CD

Access Control

  • Repository Permissions: Contributors need appropriate GitHub permissions
  • NPM Publishing: Uses GitHub Actions with provenance, not individual API keys
  • Docker Registry: Uses GitHub Container Registry with proper permissions

Responsible Disclosure

We appreciate security researchers and the broader community helping to improve the security of this project. If you believe you have found a security vulnerability, please follow our responsible disclosure process above.

Security Updates

Security updates will be:

  • Released as patch versions (e.g., 1.0.1)
  • Announced in the GitHub release notes
  • Tagged with appropriate security labels
  • Include clear upgrade instructions

Thank you for helping keep MCP CVE Intelligence Server secure!

There aren’t any published security advisories