If you discover a security vulnerability, please report it responsibly:
- Do NOT open a public issue
- Use GitHub Security Advisories to report privately
- Or email: [email protected]
We will acknowledge receipt within 48 hours and aim to release a fix within 7 days for critical issues.
The following are in scope for security reports:
- Authentication bypass (JWT, API keys, MCP auth)
- Authorization bypass (access control, readonly mode)
- Injection vulnerabilities (path traversal, command injection)
- Data leakage (sensitive information in logs, responses)
- Denial of service (resource exhaustion, crash vectors)
See docs/security.md and docs/authentication.md for details on:
- Password hashing (scrypt)
- JWT token management (HS256, httpOnly cookies)
- API key authentication (timing-safe comparison)
- MCP endpoint authentication
- Per-graph access control (deny/r/rw)
- Readonly graph mode