yvachot/GeoGuessrMCP
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
GeoGuessrMCP/SECURITY.md
Claude 16f3810210
feat: Add comprehensive license and repository protection 
- Add MIT LICENSE file with proper copyright attribution
- Add SECURITY.md with vulnerability reporting guidelines
- Add CONTRIBUTING.md with contribution guidelines and standards
- Add CODE_OF_CONDUCT.md following Contributor Covenant 2.1
- Add .github/CODEOWNERS for code ownership protection
- Add GitHub issue templates (bug report, feature request)
- Add pull request template for standardized PRs
- Add automated workflows for code quality and security checks
- Add dependency review workflow for license compliance

This establishes professional standards and protections for the repository.
2025-11-29 05:08:27 +00:00

138 lines
4.1 KiB
Markdown
Raw Blame History

# Security Policy
## Supported Versions
We actively support the following versions of the GeoGuessr MCP Server:
| Version | Supported |
| ------- | ------------------ |
| 0.1.x | :white_check_mark: |
| < 0.1 | :x: |
## Reporting a Vulnerability
We take the security of the GeoGuessr MCP Server seriously. If you discover a security vulnerability, please follow these steps:
### How to Report
1. **Do NOT** open a public issue for security vulnerabilities
2. Email security details to: **yuki.vachot@datasingularity.fr**
3. Include the following information:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Suggested fix (if available)
### What to Expect
- **Acknowledgment**: You will receive a response within 48 hours acknowledging receipt of your report
- **Investigation**: We will investigate the issue and provide an initial assessment within 5 business days
- **Updates**: We will keep you informed about the progress of the fix
- **Resolution**: Once fixed, we will notify you and coordinate disclosure timing
- **Credit**: We will credit you for the discovery (unless you prefer to remain anonymous)
## Security Best Practices
### Authentication
- **Never commit** your `GEOGUESSR_NCFA_COOKIE` to version control
- Use environment variables (`.env` file) for sensitive credentials
- Rotate your cookies regularly
- Use read-only API access when possible
### Deployment
- Always use HTTPS in production environments
- Keep Docker images updated with the latest security patches
- Use secrets management for production deployments
- Implement rate limiting on public-facing endpoints
- Review and restrict container permissions
### API Usage
- Monitor API usage for unusual patterns
- Implement request validation and sanitization
- Use the latest version of dependencies
- Enable monitoring and logging for security events
## Known Security Considerations
### Authentication Token Storage
The server stores authentication cookies in memory during runtime. For production use:
- Ensure proper access controls on the server
- Use encrypted storage if persisting credentials
- Implement session timeouts
### API Monitoring
The monitoring system periodically checks GeoGuessr API endpoints:
- Requests are made with appropriate rate limiting
- No sensitive data is logged
- Schema data is stored locally without sensitive information
### Docker Security
When deploying with Docker:
- Use non-root user inside containers
- Limit container capabilities
- Use read-only root filesystem where possible
- Scan images for vulnerabilities regularly
## Dependency Security
We use automated tools to monitor dependencies:
- Regular updates via Dependabot (recommended)
- Vulnerability scanning in CI/CD pipelines
- Manual security audits of critical dependencies
### Updating Dependencies
```bash
# Check for security vulnerabilities
pip install safety
safety check
# Update dependencies
pip install --upgrade -e ".[dev]"
```
## Security Checklist for Contributors
Before submitting a pull request, ensure:
- [ ] No hardcoded credentials or secrets
- [ ] Input validation on all user-provided data
- [ ] Proper error handling without information disclosure
- [ ] No SQL injection vulnerabilities (if using databases)
- [ ] No XSS vulnerabilities in web interfaces
- [ ] Dependencies are up to date
- [ ] Security tests are passing
- [ ] Code follows secure coding practices
## Vulnerability Disclosure Policy
We follow a coordinated disclosure policy:
1. **Private disclosure**: Vulnerabilities are reported privately
2. **Investigation period**: 90 days to develop and test a fix
3. **Coordinated release**: Fix is released with security advisory
4. **Public disclosure**: Details published after fix is available
## Security Updates
Security updates are released as:
- **Critical**: Immediate patch release
- **High**: Release within 7 days
- **Medium**: Release within 30 days
- **Low**: Included in next scheduled release
## Contact
For security-related questions or concerns:
- **Email**: yuki.vachot@datasingularity.fr
- **Response Time**: Within 48 hours
---
**Last Updated**: 2025-11-29
Reference in a new issue View git blame Copy permalink