| Version | Supported |
|---|---|
| 0.1.x | Yes |
Do not open a public GitHub issue for security vulnerabilities.
Instead, please report security issues by emailing:
Include the following in your report:
- Description of the vulnerability
- Steps to reproduce (or proof-of-concept)
- Impact assessment — what could an attacker do?
- Affected versions — which version(s) are impacted?
- Acknowledgment: Within 72 hours of receiving your report
- Initial assessment: Within 1 week
- Fix timeline: Depends on severity
- Critical: Patch within 48 hours
- High: Patch within 1 week
- Medium/Low: Next scheduled release
- SQL injection or database access issues
- API key / credential exposure
- Authentication or authorization bypass
- Remote code execution
- Path traversal or file access
- Sensitive data in logs or error messages
- Denial of service (the MCP server is designed for local use)
- Issues requiring physical access to the machine
- Social engineering
- Bugs in third-party dependencies (report upstream, but let us know)
We follow responsible disclosure. Once a fix is released, we will:
- Credit the reporter (unless they prefer anonymity)
- Publish a security advisory on GitHub
- Update CHANGELOG.md with the fix
This policy covers the TradeMemory Protocol codebase at: https://github.com/mnemox-ai/tradememory-protocol
Thank you for helping keep TradeMemory secure.