torbjorn/my-pal-mcp-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: rebranding, see [docs/name-change.md](docs/name-change.md) for details

Browse Source
This commit is contained in:
Fahad
2025-12-04 18:11:55 +04:00
parent bcfaccecd4
commit b2dc84992d
122 changed files with 1423 additions and 1056 deletions
Download Patch File Download Diff File Expand all files Collapse all files

81
SECURITY.md Normal file
View File

@@ -0,0 +1,81 @@
# Security Policy
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| 9.x.x | :white_check_mark: |
| < 9.0 | :x: |
## Important Disclaimer
PAL MCP is an open-source Model Context Protocol (MCP) server that acts as middleware between AI clients (Claude Code, Codex CLI, Cursor, etc.) and various AI model providers.
**Please understand the following:**
- **No Warranty**: This software is provided "AS IS" under the Apache 2.0 License, without warranties of any kind. See the [LICENSE](LICENSE) file for full terms.
- **User Responsibility**: The AI client (not PAL MCP) controls tool invocations and workflows. Users are responsible for reviewing AI-generated outputs and actions.
- **API Key Security**: You are responsible for securing your own API keys. Never commit keys to version control or share them publicly.
- **Third-Party Services**: PAL MCP connects to external AI providers (Google, OpenAI, Azure, etc.). Their terms of service and privacy policies apply to data sent through this server.
## Reporting a Vulnerability
**Please do not report security vulnerabilities through public GitHub issues.**
### Preferred Method
Use [GitHub Security Advisories](https://github.com/BeehiveInnovations/pal-mcp-server/security/advisories/new) to report vulnerabilities privately.
### What to Include
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Potential impact
- Suggested fix (optional)
### What to Expect
- We will acknowledge your report and assess the issue
- Critical issues will be prioritized
- We'll keep you informed of progress as work proceeds
We cannot commit to specific response timelines, but we take security seriously.
### After Resolution
We welcome security researchers to submit a pull request with the fix. This is an open-source project and we appreciate community contributions to improve security.
## Disclosure Policy
We practice coordinated disclosure. Please allow reasonable time to address issues before public disclosure. We'll work with you on timing.
## Scope
### In Scope
- Authentication/authorization bypasses
- Injection vulnerabilities (command injection, prompt injection with security impact)
- Information disclosure (API keys, sensitive data leakage)
- Denial of service vulnerabilities in the MCP server itself
- Dependency vulnerabilities with exploitable impact
### Out of Scope
- Issues in upstream AI providers (report to Google, OpenAI, etc. directly)
- Issues in AI client software (report to Anthropic, OpenAI, Cursor, etc.)
- AI model behavior or outputs (this is controlled by the AI client and model providers)
- Social engineering attacks
- Rate limiting or resource exhaustion on third-party APIs
## Security Best Practices for Users
1. **Protect API Keys**: Store keys in `.env` files (gitignored) or environment variables
2. **Review AI Actions**: Always review AI-suggested code changes before applying
3. **Use Local Models**: For sensitive codebases, consider using Ollama with local models
4. **Network Security**: When self-hosting, ensure appropriate network controls
5. **Keep Updated**: Regularly update to the latest version for security fixes
## Recognition
We appreciate responsible disclosure and will credit security researchers in release notes (unless you prefer anonymity).