We actively maintain and provide security updates for the following versions of the MCP Documentation Server:
| Version | Supported | Notes |
|---|---|---|
| 1.4.x | ✅ | Current stable release |
| 1.3.x | ✅ | Previous stable, security updates only |
| 1.2.x | ❌ | End of life, please upgrade |
| 1.1.x | ❌ | End of life, please upgrade |
| 1.0.x | ❌ | End of life, please upgrade |
| < 1.0 | ❌ | Beta versions, not supported |
Recommendation: Always use the latest stable version (1.4.x) for the best security and feature support.
- All documents are stored locally in
~/.mcp-documentation-server/ - No data is transmitted to external servers (except for embedding model downloads)
- Ensure proper file system permissions on the storage directory
- Supported formats: Only
.txt,.md, and.pdffiles are processed - PDF processing: Text extraction only, no code execution
- Malicious files: Always validate uploaded content before processing
- Path traversal: The server restricts file access to designated directories only
- The server runs locally via stdio transport by default
- No network ports are opened unless explicitly configured
- MCP protocol communication is handled by the client (e.g., Claude Desktop)
- Models are downloaded from HuggingFace Hub on first use
- Verify model integrity if using custom embedding models
- Models run locally without sending data to external services
We take security seriously and appreciate responsible disclosure of security vulnerabilities.
- Email: Send details to [[email protected]] (replace with your actual email)
- GitHub Issues: For non-sensitive issues, you can use our issue tracker
- Security Advisories: For sensitive vulnerabilities, use GitHub's private vulnerability reporting
Please provide:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Suggested fix (if available)
- Your contact information for follow-up
- Initial Response: Within 48 hours of report
- Status Updates: Weekly updates on investigation progress
- Resolution: Target 30 days for fixes, depending on severity
- Public Disclosure: Coordinated disclosure after fix is available
If the vulnerability is accepted:
- We'll work with you on a fix timeline
- Credit will be given in release notes (if desired)
- Security advisory will be published after resolution
- Affected versions will be clearly documented
If the vulnerability is declined:
- Clear explanation of why it's not considered a security issue
- Alternative solutions or mitigations (if applicable)
- Guidance on proper usage to avoid the reported concern
- Keep the server updated to the latest version
- Regularly review uploaded documents and clean up unused files
- Use proper file system permissions for the storage directory
- Validate document sources before processing
- Monitor system resources during embedding generation
- Follow secure coding practices
- Validate all inputs before processing
- Keep dependencies updated
- Run security audits regularly (
npm audit) - Test with various file types and sizes
This security policy covers:
- The MCP Documentation Server codebase
- Direct dependencies and their known vulnerabilities
- File processing and storage mechanisms
- MCP protocol implementation
Out of scope:
- Third-party MCP clients (e.g., Claude Desktop)
- Operating system security
- Network infrastructure
- Embedding model training data or algorithms
For security-related questions or concerns:
- General Security: [[email protected]]
- Project Maintainer: @andrea9293
- Repository: mcp-documentation-server
Last updated: June 16, 2025