|
2 | 2 |
|
3 | 3 | ## Supported Versions |
4 | 4 |
|
| 5 | +The following versions of SQLite MCP Server are currently supported with security updates: |
| 6 | + |
| 7 | +| Version | Supported | |
| 8 | +| ------- | ------------------ | |
| 9 | +| 0.1.x | :white_check_mark: | |
| 10 | +| < 0.1 | :x: | |
| 11 | + |
| 12 | +**Note**: As this is an early-stage project, we currently only support the latest minor version. Once we reach version 1.0, we will maintain security support for multiple versions. |
| 13 | + |
| 14 | +## Reporting a Vulnerability |
| 15 | + |
| 16 | +We take security vulnerabilities seriously. If you discover a security issue in SQLite MCP Server, please report it responsibly. |
| 17 | + |
| 18 | +### How to Report |
| 19 | + |
| 20 | +**For security vulnerabilities, please do NOT create a public GitHub issue.** |
| 21 | + |
| 22 | +Instead, please report security vulnerabilities through one of the following methods: |
| 23 | + |
| 24 | +1. **GitHub Security Advisories** (Recommended) |
| 25 | + - Go to the [Security tab](https://github.com/nipunap/sqlite-mcp-server/security) of this repository |
| 26 | + - Click "Report a vulnerability" |
| 27 | + - Fill out the security advisory form |
| 28 | + |
| 29 | +2. **Email** (Alternative) |
| 30 | + - Send an email with details to the repository maintainer |
| 31 | + - Include "SECURITY" in the subject line |
| 32 | + - Provide as much detail as possible about the vulnerability |
| 33 | + |
| 34 | +### What to Include |
| 35 | + |
| 36 | +When reporting a vulnerability, please include: |
| 37 | + |
| 38 | +- **Description**: A clear description of the vulnerability |
| 39 | +- **Steps to Reproduce**: Detailed steps to reproduce the issue |
| 40 | +- **Impact**: What could an attacker accomplish with this vulnerability? |
| 41 | +- **Affected Versions**: Which versions of the software are affected |
| 42 | +- **Suggested Fix**: If you have ideas for how to fix the issue (optional) |
| 43 | +- **Proof of Concept**: Code or screenshots demonstrating the vulnerability (if applicable) |
| 44 | + |
| 45 | +### Response Timeline |
| 46 | + |
| 47 | +We are committed to responding to security reports promptly: |
| 48 | + |
| 49 | +- **Initial Response**: Within 48 hours of receiving the report |
| 50 | +- **Status Updates**: Weekly updates on investigation progress |
| 51 | +- **Resolution Timeline**: We aim to resolve critical vulnerabilities within 7 days, and other vulnerabilities within 30 days |
| 52 | + |
| 53 | +### What to Expect |
| 54 | + |
| 55 | +**If the vulnerability is accepted:** |
| 56 | +- We will work with you to understand and reproduce the issue |
| 57 | +- We will develop and test a fix |
| 58 | +- We will coordinate the disclosure timeline with you |
| 59 | +- We will credit you in the security advisory (unless you prefer to remain anonymous) |
| 60 | +- We will release a security update and publish a security advisory |
| 61 | + |
| 62 | +**If the vulnerability is declined:** |
| 63 | +- We will provide a clear explanation of why we don't consider it a security issue |
| 64 | +- We may suggest alternative ways to address your concerns |
| 65 | +- You are welcome to discuss our decision if you disagree |
| 66 | + |
| 67 | +## Security Best Practices |
| 68 | + |
| 69 | +When using SQLite MCP Server, please follow these security best practices: |
| 70 | + |
| 71 | +### Database Security |
| 72 | +- **File Permissions**: Ensure database files have appropriate file system permissions |
| 73 | +- **Access Control**: Limit access to database files to authorized users only |
| 74 | +- **Backup Security**: Secure your database backups appropriately |
| 75 | + |
| 76 | +### Network Security |
| 77 | +- **Local Use**: SQLite MCP Server is designed for local use; avoid exposing it over networks |
| 78 | +- **Input Validation**: Always validate and sanitize inputs when building applications on top of the server |
| 79 | + |
| 80 | +### Configuration Security |
| 81 | +- **Minimal Permissions**: Run the server with minimal required permissions |
| 82 | +- **Regular Updates**: Keep the server updated to the latest supported version |
| 83 | +- **Monitoring**: Monitor server logs for suspicious activity |
| 84 | + |
| 85 | +## Scope |
| 86 | + |
| 87 | +This security policy covers: |
| 88 | +- The SQLite MCP Server core application |
| 89 | +- Official Docker images (if any) |
| 90 | +- Official documentation and examples |
| 91 | + |
| 92 | +This policy does not cover: |
| 93 | +- Third-party integrations or plugins |
| 94 | +- User-created configurations or customizations |
| 95 | +- Issues in dependencies (report these to the respective projects) |
| 96 | + |
| 97 | +## Security Features |
| 98 | + |
| 99 | +SQLite MCP Server includes the following security features: |
| 100 | + |
| 101 | +- **Input Validation**: SQL injection protection through prepared statements |
| 102 | +- **Error Handling**: Secure error messages that don't leak sensitive information |
| 103 | +- **Resource Limits**: Protection against resource exhaustion attacks |
| 104 | +- **Safe Defaults**: Secure default configuration settings |
| 105 | + |
| 106 | +## Acknowledgments |
| 107 | + |
| 108 | +We appreciate the security research community and will acknowledge researchers who report valid security vulnerabilities (unless they prefer to remain anonymous). |
| 109 | + |
| 110 | +--- |
| 111 | + |
| 112 | +**Last Updated**: December 2024 |
| 113 | + |
| 114 | +For general questions about this security policy, please create a public GitHub issue with the "security" label. |
| 115 | +======= |
5 | 116 | Use this section to tell people about which versions of your project are |
6 | 117 | currently being supported with security updates. |
7 | 118 |
|
|
0 commit comments