|
| 1 | +# Security Disclosure & Handling Process |
| 2 | + |
| 3 | +This document explains **how security reports are handled** for |
| 4 | +codebase-memory-mcp — what happens after you report a vulnerability, what you |
| 5 | +can expect from us, and how disclosure and credit work. |
| 6 | + |
| 7 | +For **how to report** a vulnerability and **what is in scope**, see |
| 8 | +[`SECURITY.md`](../SECURITY.md). This document covers the process *after* a |
| 9 | +report arrives. |
| 10 | + |
| 11 | +> **This is a solo, volunteer-maintained project.** Everything below is handled |
| 12 | +> on a good-faith, best-effort basis. The timeframes are honest targets we aim |
| 13 | +> to beat — not contractual guarantees. If something will take longer, we will |
| 14 | +> tell you and keep you updated rather than go silent. |
| 15 | +
|
| 16 | +## Principles |
| 17 | + |
| 18 | +We follow **coordinated disclosure**: |
| 19 | + |
| 20 | +1. **Fix privately, disclose publicly.** Details of an unfixed vulnerability are |
| 21 | + never discussed in the open. We develop and validate the fix in private, ship |
| 22 | + a release, and only then disclose. |
| 23 | +2. **Patch before publicity.** A fixed release is always available *before* the |
| 24 | + vulnerability is described publicly, so users can update immediately. |
| 25 | +3. **Credit the researcher.** Public credit by default; anonymity on request. |
| 26 | +4. **A bug fixed once should stay fixed.** Every fix ships with a regression |
| 27 | + test or guard so the same class of issue cannot silently return. |
| 28 | + |
| 29 | +## What happens after you report |
| 30 | + |
| 31 | +| Step | What we do | Target (best-effort) | |
| 32 | +|------|------------|----------------------| |
| 33 | +| 1. **Acknowledge** | Confirm we received your report and are looking at it. | within **7 days** (usually much sooner) | |
| 34 | +| 2. **Triage & severity** | Reproduce the issue and assign a severity (CVSS). | within **14 days** | |
| 35 | +| 3. **Fix privately** | Develop the fix in a private environment, with a regression guard, and validate it across all supported platforms (Linux, macOS, Windows) under full CI. | severity-dependent | |
| 36 | +| 4. **You verify** | We invite you (read-only) to confirm the fix resolves the issue and that the guard prevents regression. Your sign-off is welcomed; an unresponsive reporter will not indefinitely block a release. | — | |
| 37 | +| 5. **Release** | Merge the fix and cut a patched release promptly. | as fast as severity warrants | |
| 38 | +| 6. **Disclose** | Publish a [GitHub Security Advisory](https://github.com/DeusData/codebase-memory-mcp/security/advisories), request a **CVE** (GitHub is a CNA), and credit you. | after a short upgrade window | |
| 39 | + |
| 40 | +**Overall fix timeline:** we aim to resolve and release a fix within **90 days** |
| 41 | +of triage, and much faster for high-severity issues. Critical, actively |
| 42 | +exploitable issues are handled with the highest priority. |
| 43 | + |
| 44 | +## Severity |
| 45 | + |
| 46 | +We assess severity using **CVSS** and prioritise accordingly. Roughly: |
| 47 | + |
| 48 | +- **Critical / High** — remote code execution, sandbox/scope escape, supply-chain |
| 49 | + compromise. Prioritised; expedited release. |
| 50 | +- **Medium** — issues requiring local access, non-default configuration, or |
| 51 | + significant user interaction. |
| 52 | +- **Low** — defense-in-depth gaps, hardening, information exposure with limited |
| 53 | + impact. |
| 54 | + |
| 55 | +## Credit & CVE |
| 56 | + |
| 57 | +- You are **credited by name/handle** in the published advisory unless you ask to |
| 58 | + remain anonymous. |
| 59 | +- A **CVE identifier** is requested for each distinct vulnerability via the |
| 60 | + GitHub Security Advisory (one CVE per vulnerability, not per report — a single |
| 61 | + report may yield several). |
| 62 | +- The advisory lists the **affected and patched version ranges** so downstream |
| 63 | + tooling (e.g. Dependabot) can alert users automatically. |
| 64 | + |
| 65 | +## Safe harbor |
| 66 | + |
| 67 | +We will not pursue or support legal action against researchers who act in |
| 68 | +**good faith**, meaning you: |
| 69 | + |
| 70 | +- only access, modify, or store data in **your own test environment**; |
| 71 | +- avoid privacy violations, data destruction, and degradation of service for |
| 72 | + others; |
| 73 | +- give us a **reasonable opportunity to fix** the issue before disclosing it |
| 74 | + publicly; |
| 75 | +- do not exploit the issue beyond the minimum necessary to demonstrate it. |
| 76 | + |
| 77 | +Good-faith research conducted under this policy is considered authorised, and we |
| 78 | +will work with you, not against you. |
| 79 | + |
| 80 | +## What we ask of you |
| 81 | + |
| 82 | +- Report **privately** (see [`SECURITY.md`](../SECURITY.md)) — not as a public |
| 83 | + issue, PR, or social-media post. |
| 84 | +- Give us **reasonable time** to fix before any public write-up. |
| 85 | +- Provide enough detail to **reproduce** (affected version, steps, impact). |
| 86 | + |
| 87 | +Thank you for helping keep a tool used by developers worldwide safe. 🙏 |
0 commit comments