3cefccab70
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Successful in 14s
Non-workflow docs/config only (CLAUDE.md, README, branch-protection, ISSUE_TEMPLATE/config.yml, ci-issue-reporter). Workflow files, manifest schema, and Makefile install paths left for the forge-rebrand gate. Authored-by: Moko Consulting
115 lines
3.3 KiB
Markdown
115 lines
3.3 KiB
Markdown
<!--
|
|
Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
|
|
|
|
This file is part of a Moko Consulting project.
|
|
|
|
SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
# FILE INFORMATION
|
|
DEFGROUP: dolibarr-api-mcp.Documentation
|
|
INGROUP: dolibarr-api-mcp
|
|
REPO: https://git.mokoconsulting.tech/MokoConsulting/dolibarr-api-mcp
|
|
PATH: /SECURITY.md
|
|
VERSION: 01.00.00
|
|
BRIEF: Security vulnerability reporting and handling policy
|
|
-->
|
|
|
|
# Security Policy
|
|
|
|
## Purpose and Scope
|
|
|
|
This document defines the security vulnerability reporting, response, and disclosure policy for dolibarr-api-mcp and all repositories governed by MokoStandards.
|
|
|
|
## Supported Versions
|
|
|
|
| Version | Supported |
|
|
| ------- | ------------------ |
|
|
| 1.x.x | :white_check_mark: |
|
|
| < 1.0 | :x: |
|
|
|
|
Only the current major version receives security updates.
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
Report security vulnerabilities via MokoGitea issue (preferred):
|
|
https://git.mokoconsulting.tech/MokoConsulting/dolibarr-api-mcp/issues/new?template=security.yaml
|
|
|
|
Or email: hello@mokoconsulting.tech
|
|
|
|
### Where to Report
|
|
|
|
**DO NOT** create public issues for security vulnerabilities.
|
|
|
|
Report security vulnerabilities privately to:
|
|
|
|
**Email**: `hello@mokoconsulting.tech`
|
|
|
|
**Subject Line**: `[SECURITY] Brief Description`
|
|
|
|
### What to Include
|
|
|
|
1. **Description**: Clear explanation of the vulnerability
|
|
2. **Impact**: Potential security impact and severity assessment
|
|
3. **Affected Versions**: Which versions are vulnerable
|
|
4. **Reproduction Steps**: Detailed steps to reproduce the issue
|
|
5. **Proof of Concept**: Code or demonstration (if applicable)
|
|
6. **Suggested Fix**: Proposed remediation (if known)
|
|
|
|
### Response Timeline
|
|
|
|
* **Initial Response**: Within 3 business days
|
|
* **Assessment Complete**: Within 7 business days
|
|
* **Fix Timeline**: Depends on severity (see below)
|
|
|
|
## Severity Classification
|
|
|
|
### Critical
|
|
* API key exposure or leakage
|
|
* Remote code execution via API parameters
|
|
* Authentication bypass
|
|
* **Fix Timeline**: 7 days
|
|
|
|
### High
|
|
* SQL injection via sqlfilters parameter
|
|
* Unauthorized access to Dolibarr data
|
|
* **Fix Timeline**: 14 days
|
|
|
|
### Medium
|
|
* Information disclosure (limited scope)
|
|
* Configuration file exposure
|
|
* **Fix Timeline**: 30 days
|
|
|
|
### Low
|
|
* Security best practice violations
|
|
* Minor information leaks
|
|
* **Fix Timeline**: 60 days or next release
|
|
|
|
## Security Considerations
|
|
|
|
### API Key Storage
|
|
|
|
- API keys are stored in `~/.dolibarr-api-mcp.json` with user-only file permissions
|
|
- Never commit API keys to version control
|
|
- The `.gitignore` excludes `.mcp.json` and environment files
|
|
|
|
### SQL Filter Safety
|
|
|
|
- The `buildSqlFilter()` helper escapes single quotes to prevent SQL injection via the `sqlfilters` parameter
|
|
- All user-provided search terms are wrapped with the helper before being sent to Dolibarr
|
|
|
|
### TLS Verification
|
|
|
|
- The `insecure` connection option disables TLS certificate verification
|
|
- This should only be used for local development with self-signed certificates
|
|
- Production connections should always use valid TLS certificates
|
|
|
|
## Attribution and Recognition
|
|
|
|
We acknowledge and appreciate responsible disclosure. With your permission, we will credit you in security advisories and release notes.
|
|
|
|
## Revision History
|
|
|
|
| Date | Version | Author | Notes |
|
|
| --- | --- | --- | --- |
|
|
| 2026-05-07 | 0.0.1 | jmiller | Initial security policy |
|