We actively maintain and provide security updates for the following versions of Itential MCP:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take security vulnerabilities seriously. If you discover a security vulnerability in Itential MCP, please report it responsibly.
Please do NOT create public GitHub issues for security vulnerabilities.
Instead, please report security vulnerabilities through one of the following methods:
- Email: Send details to opensource@itential.com
- Private vulnerability disclosure: Use GitHub's private vulnerability reporting feature
When reporting a vulnerability, please include:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Any suggested fixes or mitigations
- Your contact information for follow-up
- Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours
- Initial Assessment: We will provide an initial assessment within 5 business days
- Updates: We will provide regular updates on our progress every 7 days
- Resolution: We aim to resolve critical vulnerabilities within 30 days
When deploying Itential MCP:
- Authentication: Always configure proper authentication credentials
- Network Security:
- Use HTTPS/TLS for all communications
- Restrict network access to authorized users only
- Consider using VPNs or private networks
- Credentials Management:
- Use environment variables for sensitive configuration
- Never commit credentials to version control
- Rotate credentials regularly
- Updates: Keep Itential MCP and its dependencies up to date
- Monitoring: Implement logging and monitoring for security events
When contributing to Itential MCP:
- Code Review: All code changes require review before merging
- Dependencies:
- Keep dependencies up to date
- Use dependency scanning tools
- Avoid adding unnecessary dependencies
- Input Validation: Always validate and sanitize user inputs
- Error Handling: Avoid exposing sensitive information in error messages
- Testing: Include security-focused test cases
- Documentation: Document security implications of new features
- stdio: Inherits security context of the parent process
- SSE/HTTP: Supports HTTPS/TLS encryption
- Authentication: Integration with Itential Platform authentication
- Credentials: Stored securely using environment variables or secure credential stores
- API Communication: All API calls to Itential Platform use authenticated sessions
- Logging: Sensitive data is not logged or is properly redacted
- Regular dependency updates through automated tooling
- Security scanning of dependencies
- Minimal dependency footprint to reduce attack surface
We follow a coordinated disclosure approach:
- Private Notification: Vulnerabilities are first reported privately
- Investigation: We investigate and develop fixes
- Testing: Fixes are thoroughly tested
- Release: Security updates are released
- Public Disclosure: Details are disclosed after fixes are available
We appreciate security researchers who follow responsible disclosure practices. With your permission, we will:
- Acknowledge your contribution in release notes
- Include you in our security hall of fame
- Provide swag or other recognition as appropriate
For security-related questions or to report vulnerabilities:
- General Security Questions: [to be configured]
- Vulnerability Reports: Use private disclosure methods described above
This security policy may be updated from time to time. Changes will be announced through:
- Repository release notes
- Security advisories
- Project communication channels
Note: This policy is effective as of the date it was added to the repository and applies to all versions of Itential MCP.