 |
VOOZH | about |
|
VOOZH | about |
This document describes the security policy for the SIMAP MCP Server, including supported versions, vulnerability reporting procedures, security scope, and best practices. The SIMAP MCP Server is designed as a read-only client to the public SIMAP.ch API with minimal security surface area.
For information about community conduct and behavior standards, see Code of Conduct. For details on the contribution process and PR requirements, see How to Contribute.
Sources: SECURITY.md1-36 CODE_OF_CONDUCT.md1-83
The project maintains security support for the following version ranges:
| Version | Supported | Notes |
|---|---|---|
| 1.x | ✅ Yes | Current major version, receives security updates SECURITY.md5-7 |
| < 1.0 | ❌ No | Pre-release versions, upgrade to 1.x |
Security patches are released as patch version increments (e.g., 1.2.2 → 1.2.3) and automatically published through the CI/CD pipeline. Users should monitor GitHub releases or npm updates to stay current with security fixes.
Sources: SECURITY.md3-7
Security vulnerabilities must be reported through private channels only. Do not open public GitHub issues for security concerns SECURITY.md13
Primary reporting method: Use GitHub's private vulnerability reporting to submit confidential security reports SECURITY.md15
Alternative contact: For issues requiring direct communication or reporting Code of Conduct violations, contact project maintainers at info@digilac.ch CODE_OF_CONDUCT.md49
Title: "Vulnerability Management Lifecycle"
| Stage | Timeline | Description |
|---|---|---|
| Acknowledgment | 48 hours | Confirming receipt of vulnerability report SECURITY.md18 |
| Initial Assessment | 7 days | Determining validity and severity SECURITY.md19 |
| Fix Timeline | Variable | Based on severity and impact SECURITY.md20 |
Sources: SECURITY.md9-21
The SIMAP MCP Server operates within clearly defined security boundaries, acting as a bridge between an MCP Client and the public SIMAP API.
Title: "System Security Boundaries and Code Entities"
The following security areas are within the project's scope SECURITY.md26-30:
@modelcontextprotocol/sdk or zod.| Area | Rationale |
|---|---|
| Authentication/Authorization | Server is a read-only client to a public API; it does not handle auth SECURITY.md24-38 |
| Credential Storage | The server does not store or manage any user credentials SECURITY.md24-40 |
| User Data Privacy | The server does not process or store sensitive user data SECURITY.md24 |
| Write Operations | The server only performs read operations against public endpoints SECURITY.md24-38 |
Sources: SECURITY.md22-40
The SIMAP_MCP_DEBUG environment variable controls verbose logging to stderr. This is intended for local troubleshooting only SECURITY.md45-50
1 or true, it switches the HTTP client to verbose logging, including full outbound URLs with all query parameters (search terms, filters, CPV codes) and response metadata SECURITY.md45-50stderr logs and retain them. In production, this can effectively persist user-intent data in shared log infrastructure SECURITY.md39-50SIMAP_MCP_DEBUG unset or empty in production environments .env.example5-8 SECURITY.md39The server does not require any secrets, tokens, or API keys SECURITY.md40
stdout is strictly reserved for the MCP JSON-RPC protocol. Never redirect stdout into log files as it will break the communication with the MCP client SECURITY.md41Sources: SECURITY.md37-51 .env.example1-9
All tool inputs pass through strict Zod schema validation before processing. This prevents injection attacks and ensures the API client receives only expected data types.
Title: "Input Validation Pipeline"
The SimapClient class implements security best practices to protect the server and the upstream API:
Title: "SimapClient Security Controls"
Sources: SECURITY.md22-30 CODE_OF_CONDUCT.md45-53
Sources: SECURITY.md31-36
Refresh this wiki