SECURITY.md

<!--
Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>

This file is part of a Moko Consulting project.

SPDX-License-Identifier: GPL-3.0-or-later

# FILE INFORMATION
DEFGROUP: dolibarr-api-mcp.Documentation
INGROUP: dolibarr-api-mcp
REPO: https://git.mokoconsulting.tech/MokoConsulting/dolibarr-api-mcp
PATH: /SECURITY.md
VERSION: 01.00.00
BRIEF: Security vulnerability reporting and handling policy
-->

# Security Policy

## Purpose and Scope

This document defines the security vulnerability reporting, response, and disclosure policy for dolibarr-api-mcp and all repositories governed by MokoStandards.

## Supported Versions

| Version | Supported          |
| ------- | ------------------ |
| 1.x.x   | :white_check_mark: |
| < 1.0   | :x:                |

Only the current major version receives security updates.

## Reporting a Vulnerability

Report security vulnerabilities via Gitea issue (preferred):
https://git.mokoconsulting.tech/MokoConsulting/dolibarr-api-mcp/issues/new?template=security.yaml

Or email: hello@mokoconsulting.tech

### Where to Report

**DO NOT** create public issues for security vulnerabilities.

Report security vulnerabilities privately to:

**Email**: `hello@mokoconsulting.tech`

**Subject Line**: `[SECURITY] Brief Description`

### What to Include

1. **Description**: Clear explanation of the vulnerability
2. **Impact**: Potential security impact and severity assessment
3. **Affected Versions**: Which versions are vulnerable
4. **Reproduction Steps**: Detailed steps to reproduce the issue
5. **Proof of Concept**: Code or demonstration (if applicable)
6. **Suggested Fix**: Proposed remediation (if known)

### Response Timeline

* **Initial Response**: Within 3 business days
* **Assessment Complete**: Within 7 business days
* **Fix Timeline**: Depends on severity (see below)

## Severity Classification

### Critical
* API key exposure or leakage
* Remote code execution via API parameters
* Authentication bypass
* **Fix Timeline**: 7 days

### High
* SQL injection via sqlfilters parameter
* Unauthorized access to Dolibarr data
* **Fix Timeline**: 14 days

### Medium
* Information disclosure (limited scope)
* Configuration file exposure
* **Fix Timeline**: 30 days

### Low
* Security best practice violations
* Minor information leaks
* **Fix Timeline**: 60 days or next release

## Security Considerations

### API Key Storage

- API keys are stored in `~/.dolibarr-api-mcp.json` with user-only file permissions
- Never commit API keys to version control
- The `.gitignore` excludes `.mcp.json` and environment files

### SQL Filter Safety

- The `buildSqlFilter()` helper escapes single quotes to prevent SQL injection via the `sqlfilters` parameter
- All user-provided search terms are wrapped with the helper before being sent to Dolibarr

### TLS Verification

- The `insecure` connection option disables TLS certificate verification
- This should only be used for local development with self-signed certificates
- Production connections should always use valid TLS certificates

## Attribution and Recognition

We acknowledge and appreciate responsible disclosure. With your permission, we will credit you in security advisories and release notes.

## Revision History

| Date | Version | Author | Notes |
| --- | --- | --- | --- |
| 2026-05-07 | 0.0.1 | jmiller | Initial security policy |
feat: initial MCP server for Dolibarr ERP/CRM REST API 2026-05-07 14:13:52 -05:00			`<!--`
			`Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>`

			`This file is part of a Moko Consulting project.`

			`SPDX-License-Identifier: GPL-3.0-or-later`

			`# FILE INFORMATION`
			`DEFGROUP: dolibarr-api-mcp.Documentation`
			`INGROUP: dolibarr-api-mcp`
			`REPO: https://git.mokoconsulting.tech/MokoConsulting/dolibarr-api-mcp`
			`PATH: /SECURITY.md`
			`VERSION: 01.00.00`
			`BRIEF: Security vulnerability reporting and handling policy`
			`-->`

			`# Security Policy`

			`## Purpose and Scope`

docs: add CHANGELOG, CONTRIBUTING, SECURITY, and sqlfilter builder 2026-05-07 14:15:27 -05:00			`This document defines the security vulnerability reporting, response, and disclosure policy for dolibarr-api-mcp and all repositories governed by MokoStandards.`
feat: initial MCP server for Dolibarr ERP/CRM REST API 2026-05-07 14:13:52 -05:00
			`## Supported Versions`

			`\| Version \| Supported \|`
			`\| ------- \| ------------------ \|`
			`\| 1.x.x \| :white_check_mark: \|`
			`\| < 1.0 \| :x: \|`

docs: add CHANGELOG, CONTRIBUTING, SECURITY, and sqlfilter builder 2026-05-07 14:15:27 -05:00			`Only the current major version receives security updates.`

feat: initial MCP server for Dolibarr ERP/CRM REST API 2026-05-07 14:13:52 -05:00			`## Reporting a Vulnerability`

			`Report security vulnerabilities via Gitea issue (preferred):`
docs: add CHANGELOG, CONTRIBUTING, SECURITY, and sqlfilter builder 2026-05-07 14:15:27 -05:00			`https://git.mokoconsulting.tech/MokoConsulting/dolibarr-api-mcp/issues/new?template=security.yaml`
feat: initial MCP server for Dolibarr ERP/CRM REST API 2026-05-07 14:13:52 -05:00
			`Or email: hello@mokoconsulting.tech`

docs: add CHANGELOG, CONTRIBUTING, SECURITY, and sqlfilter builder 2026-05-07 14:15:27 -05:00			`### Where to Report`

			`DO NOT create public issues for security vulnerabilities.`

			`Report security vulnerabilities privately to:`

			Email: `hello@mokoconsulting.tech`

			Subject Line: `[SECURITY] Brief Description`
feat: initial MCP server for Dolibarr ERP/CRM REST API 2026-05-07 14:13:52 -05:00
			`### What to Include`

			`1. Description: Clear explanation of the vulnerability`
docs: add CHANGELOG, CONTRIBUTING, SECURITY, and sqlfilter builder 2026-05-07 14:15:27 -05:00			`2. Impact: Potential security impact and severity assessment`
feat: initial MCP server for Dolibarr ERP/CRM REST API 2026-05-07 14:13:52 -05:00			`3. Affected Versions: Which versions are vulnerable`
docs: add CHANGELOG, CONTRIBUTING, SECURITY, and sqlfilter builder 2026-05-07 14:15:27 -05:00			`4. Reproduction Steps: Detailed steps to reproduce the issue`
			`5. Proof of Concept: Code or demonstration (if applicable)`
			`6. Suggested Fix: Proposed remediation (if known)`
feat: initial MCP server for Dolibarr ERP/CRM REST API 2026-05-07 14:13:52 -05:00
			`### Response Timeline`

			`* Initial Response: Within 3 business days`
			`* Assessment Complete: Within 7 business days`
docs: add CHANGELOG, CONTRIBUTING, SECURITY, and sqlfilter builder 2026-05-07 14:15:27 -05:00			`* Fix Timeline: Depends on severity (see below)`

			`## Severity Classification`

			`### Critical`
			`* API key exposure or leakage`
			`* Remote code execution via API parameters`
			`* Authentication bypass`
			`* Fix Timeline: 7 days`

			`### High`
			`* SQL injection via sqlfilters parameter`
			`* Unauthorized access to Dolibarr data`
			`* Fix Timeline: 14 days`

			`### Medium`
			`* Information disclosure (limited scope)`
			`* Configuration file exposure`
			`* Fix Timeline: 30 days`

			`### Low`
			`* Security best practice violations`
			`* Minor information leaks`
			`* Fix Timeline: 60 days or next release`
feat: initial MCP server for Dolibarr ERP/CRM REST API 2026-05-07 14:13:52 -05:00
docs: add CHANGELOG, CONTRIBUTING, SECURITY, and sqlfilter builder 2026-05-07 14:15:27 -05:00			`## Security Considerations`
feat: initial MCP server for Dolibarr ERP/CRM REST API 2026-05-07 14:13:52 -05:00
			`### API Key Storage`

docs: add CHANGELOG, CONTRIBUTING, SECURITY, and sqlfilter builder 2026-05-07 14:15:27 -05:00			- API keys are stored in `~/.dolibarr-api-mcp.json` with user-only file permissions
feat: initial MCP server for Dolibarr ERP/CRM REST API 2026-05-07 14:13:52 -05:00			`- Never commit API keys to version control`
docs: add CHANGELOG, CONTRIBUTING, SECURITY, and sqlfilter builder 2026-05-07 14:15:27 -05:00			- The `.gitignore` excludes `.mcp.json` and environment files
feat: initial MCP server for Dolibarr ERP/CRM REST API 2026-05-07 14:13:52 -05:00
docs: add CHANGELOG, CONTRIBUTING, SECURITY, and sqlfilter builder 2026-05-07 14:15:27 -05:00			`### SQL Filter Safety`
feat: initial MCP server for Dolibarr ERP/CRM REST API 2026-05-07 14:13:52 -05:00
docs: add CHANGELOG, CONTRIBUTING, SECURITY, and sqlfilter builder 2026-05-07 14:15:27 -05:00			- The `buildSqlFilter()` helper escapes single quotes to prevent SQL injection via the `sqlfilters` parameter
			`- All user-provided search terms are wrapped with the helper before being sent to Dolibarr`
feat: initial MCP server for Dolibarr ERP/CRM REST API 2026-05-07 14:13:52 -05:00
docs: add CHANGELOG, CONTRIBUTING, SECURITY, and sqlfilter builder 2026-05-07 14:15:27 -05:00			`### TLS Verification`
feat: initial MCP server for Dolibarr ERP/CRM REST API 2026-05-07 14:13:52 -05:00
docs: add CHANGELOG, CONTRIBUTING, SECURITY, and sqlfilter builder 2026-05-07 14:15:27 -05:00			- The `insecure` connection option disables TLS certificate verification
			`- This should only be used for local development with self-signed certificates`
			`- Production connections should always use valid TLS certificates`
feat: initial MCP server for Dolibarr ERP/CRM REST API 2026-05-07 14:13:52 -05:00
docs: add CHANGELOG, CONTRIBUTING, SECURITY, and sqlfilter builder 2026-05-07 14:15:27 -05:00			`## Attribution and Recognition`
feat: initial MCP server for Dolibarr ERP/CRM REST API 2026-05-07 14:13:52 -05:00
docs: add CHANGELOG, CONTRIBUTING, SECURITY, and sqlfilter builder 2026-05-07 14:15:27 -05:00			`We acknowledge and appreciate responsible disclosure. With your permission, we will credit you in security advisories and release notes.`
feat: initial MCP server for Dolibarr ERP/CRM REST API 2026-05-07 14:13:52 -05:00
			`## Revision History`

			`\| Date \| Version \| Author \| Notes \|`
			`\| --- \| --- \| --- \| --- \|`
			`\| 2026-05-07 \| 0.0.1 \| jmiller \| Initial security policy \|`