We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
We take the security of virtualization-mcp seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please report them via email to:
- Email: sandra@sandraschi.dev
- Subject: [SECURITY] Virtualization-MCP Security Issue
Please include the following information:
- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit the issue
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Critical vulnerabilities within 30 days
- Input Validation: All tool parameters are validated
- Sandboxing: VM operations are isolated
- Access Control: Path traversal protection
- Dependency Scanning: Automated with Dependabot
- Code Scanning: Bandit, Safety, and Semgrep in CI/CD
When using virtualization-mcp:
- Keep VirtualBox updated to the latest version
- Use strong VM passwords
- Limit network exposure of VMs
- Regular security audits of VM configurations
- Monitor VM resource usage
- Keep the MCP server updated
We use automated security scanning:
- Bandit: Python security linting
- Safety: Dependency vulnerability scanning
- Semgrep: Static analysis security testing
- Dependabot: Automated dependency updates
When we receive a security bug report, we will:
- Confirm the problem and determine affected versions
- Audit code to find any similar problems
- Prepare fixes for all supported versions
- Release new versions as soon as possible
We appreciate security researchers who responsibly disclose vulnerabilities. With your permission, we will publicly acknowledge your contribution.