| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
This project implements the following security measures:
- Base Image: Chainguard Wolfi (minimal attack surface)
- Non-root User: Runs as
mcp(uid 1000) - Minimal Permissions: Only required Deno permissions enabled
- SHA-pinned Actions: All GitHub Actions use commit hashes
- CodeQL Analysis: Automated SAST scanning
- Secret Scanning: Gitleaks, TruffleHog
- Dependency Scanning: Trivy, Semgrep
- OSSF Scorecard: Weekly security posture assessment
- SPDX License Headers: All source files tagged
- No Weak Crypto: MD5/SHA1 blocked for security use
- HTTPS Enforced: HTTP URLs blocked in CI
- No Hardcoded Secrets: Pattern detection in CI
- Email: security@hyperpolymath.org
- GPG Key: https://hyperpolymath.org/gpg/security.asc
- Report via email with details of the vulnerability
- Response within 72 hours acknowledging receipt
- Assessment within 7 days with severity classification
- Fix Timeline:
- Critical: 24-48 hours
- High: 7 days
- Medium: 30 days
- Low: Next release
- Coordinated disclosure after fix is released
- Credit given to reporter (unless anonymity requested)
- CVE assigned for confirmed vulnerabilities
See .well-known/security.txt for machine-readable security contact information (RFC 9116).