Do not open public issues for security vulnerabilities.
Email security reports to: [email protected]
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will acknowledge your report within 48 hours and provide a detailed response within 7 days.
| Version | Supported |
|---|---|
| main | ✅ Active development |
| < 1.0 |
Dedalus MCP is a framework for building MCP servers and clients. Security considerations:
- Input validation: All tool/resource inputs validated via Pydantic
- Type safety: Full type hints enforced via mypy
- Context isolation: Each request gets isolated context
- Transport security: HTTPS recommended for HTTP transport
- Token handling: OAuth tokens managed securely when using authorization
This is pre-1.0 software. Areas still being hardened:
- Authorization flows: OAuth support is opt-in and requires proper configuration
- Resource access: No built-in sandboxing of resource handlers
- Tool execution: Tools run in the same process as the server
- Use TLS for all HTTP transports in production
- Validate all external inputs in your tool/resource handlers
- Don't expose sensitive data in error messages
- Use environment variables for secrets, never hardcode
- Enable authorization for multi-tenant deployments
- Audit log all tool invocations
- Set appropriate timeouts for long-running operations
- Pin dependencies to avoid supply chain attacks
We follow coordinated disclosure:
- Reporter submits vulnerability privately
- We acknowledge within 48 hours
- We investigate and develop fix
- We release fix and credit reporter (unless anonymity requested)
- Public disclosure after 90 days or when fix is deployed
We don't currently have a formal bug bounty program. Significant security contributions will be acknowledged in release notes.
- Security issues: [email protected]
- General questions: [email protected]