Cradicle Explorer
poly-observability-mcp
/ SECURITY.md
SECURITY.md
 1  # Security Policy
 2  
 3  ## Supported Versions
 4  
 5  | Version | Supported          |
 6  | ------- | ------------------ |
 7  | 1.x.x   | :white_check_mark: |
 8  | < 1.0   | :x:                |
 9  
10  ## Reporting a Vulnerability
11  
12  If you discover a security vulnerability in poly-observability-mcp, please report it responsibly:
13  
14  ### Contact
15  
16  - **Email:** security@hyperpolymath.org
17  - **GPG Key:** https://hyperpolymath.org/gpg/security.asc
18  - **Preferred Languages:** English, Dutch
19  
20  ### What to Include
21  
22  When reporting a vulnerability, please provide:
23  
24  1. Description of the vulnerability
25  2. Steps to reproduce
26  3. Potential impact assessment
27  4. Any suggested fixes (optional)
28  
29  ### Response Timeline
30  
31  - **Initial Response:** Within 48 hours
32  - **Status Update:** Within 7 days
33  - **Resolution Target:** Within 30 days for critical issues
34  
35  ### What to Expect
36  
37  - We will acknowledge your report within 48 hours
38  - We will investigate and provide a status update within 7 days
39  - If accepted, we will work on a fix and coordinate disclosure
40  - If declined, we will explain our reasoning
41  - Credit will be given to reporters (unless anonymity is requested)
42  
43  ### Scope
44  
45  This security policy covers:
46  
47  - The poly-observability-mcp MCP server
48  - All adapter implementations (Prometheus, Grafana, Loki, Jaeger)
49  - Configuration and deployment files
50  - CI/CD workflows
51  
52  ### Out of Scope
53  
54  - Security issues in upstream dependencies (report to respective projects)
55  - Security of the observability backends themselves (Prometheus, Grafana, Loki, Jaeger)
56  - Issues in third-party integrations
57  
58  ## Security Best Practices
59  
60  When deploying poly-observability-mcp:
61  
62  1. **Environment Variables:** Store API keys and credentials in environment variables, never in code
63  2. **Network Security:** Use TLS/HTTPS when connecting to observability backends in production
64  3. **Access Control:** Limit MCP server access to authorized clients only
65  4. **API Keys:** Use read-only API keys where possible (especially for Grafana)
66  5. **Container Security:** Run containers as non-root user (default in provided Containerfile)
67  
68  ## Security Features
69  
70  - No hardcoded credentials
71  - Environment-based configuration
72  - Non-root container execution
73  - SHA-pinned GitHub Actions
74  - Automated security scanning (TruffleHog, CodeQL)
75  - RFC 9116 compliant security.txt