We actively support the following versions with security updates:

We take security vulnerabilities seriously. If you discover a security vulnerability, please report it responsibly.

DO NOT open a public GitHub issue for security vulnerabilities.

Instead, please report security vulnerabilities by emailing:

📧 security@[INSERT_DOMAIN]

Please include the following information in your report:

1. Description of the vulnerability
2. Steps to reproduce the issue
3. Potential impact of the vulnerability
4. Suggested fix (if you have one)
5. Your contact information for follow-up

We commit to:

• Acknowledge your report within 48 hours
• Provide an initial assessment within 5 business days
• Keep you updated on our progress
• Credit you in our security advisory (unless you prefer to remain anonymous)

1. Keep your installation up to date

   pip install --upgrade docs-mcp-server

2. Secure your API tokens

   • Never commit tokens to version control
   • Use environment variables
   • Rotate tokens regularly
   • Use minimal required permissions

3. Use HTTPS endpoints only

   • Always use https:// URLs for DOCS_BASE_URL
   • Verify SSL certificates

4. Monitor access logs

   • Review API access patterns
   • Monitor for unusual activity

1. Input validation

   • Validate all user inputs
   • Use type hints and pydantic models
   • Sanitize data before API calls

2. Error handling

   • Don't expose sensitive information in error messages
   • Log security-relevant events
   • Handle authentication errors gracefully

3. Dependencies

   • Keep dependencies updated
   • Use pip-audit for vulnerability scanning
   • Review dependency security advisories

4. Testing

   • Include security tests
   • Test error conditions
   • Validate authentication flows

• API Token Authentication: Secure token-based authentication with Docs instances
• Environment Variable Configuration: Sensitive data stored in environment variables
• Request Timeout: Configurable timeouts to prevent hanging connections

• HTTPS Only: All API communications use HTTPS
• Certificate Verification: SSL certificate validation enabled by default
• Request Retry Logic: Secure retry mechanism with exponential backoff

• No Data Storage: Client doesn't store sensitive data locally
• Memory-Only Operations: Sensitive data only held in memory during requests
• Secure Error Handling: Error messages don't expose sensitive information

• API tokens provide full access to your Docs instance
• Treat tokens like passwords
• Use different tokens for different environments
• Revoke unused tokens

• Ensure secure network connectivity to Docs instances
• Consider using VPN for sensitive environments
• Monitor network traffic for anomalies

• Enable verbose logging for security investigations
• Monitor API usage patterns
• Set up alerts for unusual activity

If you suspect a security incident:

1. Immediate Actions

   • Revoke potentially compromised API tokens
   • Check access logs for unusual activity
   • Isolate affected systems if necessary

2. Investigation

   • Document the incident
   • Gather relevant logs and evidence
   • Assess the scope of impact

3. Recovery

   • Generate new API tokens
   • Update affected configurations
   • Verify system integrity

4. Post-Incident

   • Review and improve security measures
   • Update documentation and procedures
   • Consider sharing lessons learned

• General Security: security@[INSERT_DOMAIN]
• Vulnerability Reports: security@[INSERT_DOMAIN]
• Security Questions: Create a GitHub discussion

• OWASP API Security Top 10
• Python Security Best Practices
• GitHub Security Advisories

This security policy is reviewed and updated regularly. Last updated: 2024-01-01