| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take security seriously. If you discover a security vulnerability in MCP Proxy, please report it responsibly.
- Do NOT open a public GitHub issue for security vulnerabilities
- Email your findings to: security@agentfacts.dev (or open a private security advisory on GitHub)
- Include as much detail as possible:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: We will acknowledge receipt within 48 hours
- Assessment: We will assess the vulnerability and determine its severity
- Updates: We will keep you informed of our progress
- Resolution: We aim to resolve critical issues within 7 days
- Credit: With your permission, we will credit you in the release notes
The following are in scope for security reports:
- Authentication/authorization bypasses
- Policy enforcement failures
- Information disclosure
- Injection vulnerabilities
- Denial of service vulnerabilities
- Cryptographic issues
- Issues in dependencies (report to upstream maintainers)
- Issues requiring physical access
- Social engineering attacks
- Issues in third-party integrations
When deploying MCP Proxy:
- Enable TLS in production environments
- Use strong policies - start with deny-all and allow explicitly
- Enable audit logging for compliance and forensics
- Keep updated - regularly update to the latest version
- Limit network exposure - use firewalls and network segmentation
- Review policies - regularly audit your OPA policies
MCP Proxy includes several security features:
- OPA Policy Engine: Fine-grained access control
- Audit Logging: Complete audit trail of all operations
- TLS Support: Encrypted communications
- Session Management: Secure session handling
- Input Validation: Request validation and sanitization
Thank you for helping keep MCP Proxy secure!