|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Reporting Security Vulnerabilities |
| 4 | + |
| 5 | +**DO NOT** open a public GitHub issue for security vulnerabilities. Instead, please report them responsibly to: |
| 6 | + |
| 7 | +**Email:** security@rethunk.tech |
| 8 | +**Response SLA:** We aim to respond to security reports within 24 hours. |
| 9 | + |
| 10 | +When reporting a vulnerability, please include: |
| 11 | +- Description of the vulnerability |
| 12 | +- Affected component(s) and version(s) |
| 13 | +- Steps to reproduce (if applicable) |
| 14 | +- Potential impact |
| 15 | +- Suggested fix (optional) |
| 16 | + |
| 17 | +## Scope & Risk Profile |
| 18 | + |
| 19 | +`rethunk-github-mcp` is an MCP server that exposes GitHub API operations to LLMs. It has elevated security implications due to API access and batch operations. |
| 20 | + |
| 21 | +### GitHub API Authentication |
| 22 | +- **Critical:** Server authenticates with GitHub via personal access token or app credentials |
| 23 | +- Tokens must never be embedded in code or logs |
| 24 | +- Environment variables (GITHUB_TOKEN) require protection |
| 25 | +- Token scopes should be limited to minimum required operations |
| 26 | + |
| 27 | +### API Rate Limiting & Abuse Risk |
| 28 | +- **High:** MCP tools batch multiple API calls; potential for rapid rate limit exhaustion |
| 29 | +- Tools like `repo_status` and `ecosystem_activity` can execute 10-50+ API calls per invocation |
| 30 | +- Implement rate-limit detection and backoff in client code |
| 31 | +- Monitor for unusual token usage patterns |
| 32 | + |
| 33 | +### Data Exposure Risk |
| 34 | +- **Medium:** Sensitive repo/org data (private repo names, CI logs, secret patterns in code) could be exposed |
| 35 | +- All tool outputs should be treated as potentially sensitive |
| 36 | +- Do not expose in logs or error messages |
| 37 | +- Validate all inputs to prevent API injection attacks |
| 38 | + |
| 39 | +### Cross-Org / Multi-Repo Access |
| 40 | +- **High:** Tools operate across multiple repos and orgs if configured |
| 41 | +- Ensure token scopes do not exceed intended access |
| 42 | +- Validate repo access before returning sensitive data |
| 43 | +- Be mindful of PR labels, commit messages, CI logs that may contain secrets |
| 44 | + |
| 45 | +## Security Practices |
| 46 | + |
| 47 | +### Token Management |
| 48 | +- Use GitHub Personal Access Tokens (PAT) or App credentials |
| 49 | +- Never commit tokens; use environment variables only |
| 50 | +- Rotate tokens regularly |
| 51 | +- Use minimal scopes (e.g., `repo:read` for read-only tools) |
| 52 | +- Monitor token usage via GitHub's audit log |
| 53 | + |
| 54 | +### API Call Safety |
| 55 | +- Validate all input parameters (repo names, branch names, etc.) |
| 56 | +- Implement exponential backoff for rate limit 429 responses |
| 57 | +- Set timeouts on API calls to prevent hanging |
| 58 | +- Log API calls (without exposing tokens) for audit trails |
| 59 | + |
| 60 | +### Output Validation |
| 61 | +- Do not expose raw GitHub API responses without review |
| 62 | +- Sanitize error messages (don't expose token leakage) |
| 63 | +- Be mindful of CI logs, commit messages that may contain secrets |
| 64 | +- Trim log output if suspiciously long |
| 65 | + |
| 66 | +### Dependency Management |
| 67 | +- Keep `octokit` and related GitHub API packages up-to-date |
| 68 | +- Run `bun audit` regularly; address high/critical vulnerabilities |
| 69 | +- Review major version updates for API contract changes |
| 70 | + |
| 71 | +## Supported Versions |
| 72 | + |
| 73 | +Latest release only. |
| 74 | + |
| 75 | +| Version | Supported | |
| 76 | +|---------|-----------| |
| 77 | +| 1.0.x | ✅ Yes | |
| 78 | +| < 1.0 | ⚠️ Limited| |
| 79 | + |
| 80 | +## Known Vulnerabilities |
| 81 | + |
| 82 | +None currently known. Reports are welcome via security@rethunk.tech. |
| 83 | + |
| 84 | +## Third-Party Security |
| 85 | + |
| 86 | +### GitHub API |
| 87 | +- Octokit SDK is official GitHub SDK; generally secure but monitor updates |
| 88 | +- Review GitHub API changelog for breaking changes and security fixes |
| 89 | +- Be aware of GitHub's own abuse prevention and rate limiting |
| 90 | + |
| 91 | +### Dependencies |
| 92 | +- Bun runtime: keep updated for security patches |
| 93 | +- octokit/rest, octokit/graphql: official libraries, monitor for updates |
| 94 | +- TypeScript: type safety helps prevent runtime issues |
| 95 | + |
| 96 | +## Testing & Validation |
| 97 | + |
| 98 | +- Test tools with read-only tokens before production deployment |
| 99 | +- Validate rate limit handling with heavy multi-repo queries |
| 100 | +- Test error handling with invalid repos/tokens |
| 101 | +- Do not test against production tokens; use a test token with limited access |
| 102 | + |
| 103 | +## Incident Response |
| 104 | + |
| 105 | +If a security vulnerability is discovered: |
| 106 | + |
| 107 | +1. **Report immediately** to security@rethunk.tech (do not disclose publicly) |
| 108 | +2. **Include reproduction steps** and affected version(s) |
| 109 | +3. **Allow 24-48 hours** for initial response and triage |
| 110 | +4. **Coordinate disclosure** timeline if patch is required |
| 111 | +5. **Credit will be given** to the reporter (if desired) |
| 112 | + |
| 113 | +## Contact |
| 114 | + |
| 115 | +- **Security Issues:** security@rethunk.tech |
| 116 | +- **General Support:** support@rethunk.tech |
| 117 | +- **Website:** https://rethunk.tech |
| 118 | + |
| 119 | +--- |
| 120 | + |
| 121 | +**Last updated:** 2026-04-27 |
0 commit comments