<!--
Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>

This file is part of a Moko Consulting project.

SPDX-License-Identifier: GPL-3.0-or-later

# FILE INFORMATION
DEFGROUP: dolibarr-api-mcp.Documentation
INGROUP: dolibarr-api-mcp
REPO: https://git.mokoconsulting.tech/MokoConsulting/dolibarr-api-mcp
PATH: /SECURITY.md
VERSION: 01.00.00
BRIEF: Security vulnerability reporting and handling policy
-->

# Security Policy

## Purpose and Scope

This document defines the security vulnerability reporting, response, and disclosure policy for dolibarr-api-mcp and all repositories governed by MokoStandards.

## Supported Versions

| Version | Supported          |
| ------- | ------------------ |
| 1.x.x   | :white_check_mark: |
| < 1.0   | :x:                |

Only the current major version receives security updates.

## Reporting a Vulnerability

Report security vulnerabilities via Gitea issue (preferred):
https://git.mokoconsulting.tech/MokoConsulting/dolibarr-api-mcp/issues/new?template=security.yaml

Or email: hello@mokoconsulting.tech

### Where to Report

**DO NOT** create public issues for security vulnerabilities.

Report security vulnerabilities privately to:

**Email**: `hello@mokoconsulting.tech`

**Subject Line**: `[SECURITY] Brief Description`

### What to Include

1. **Description**: Clear explanation of the vulnerability
2. **Impact**: Potential security impact and severity assessment
3. **Affected Versions**: Which versions are vulnerable
4. **Reproduction Steps**: Detailed steps to reproduce the issue
5. **Proof of Concept**: Code or demonstration (if applicable)
6. **Suggested Fix**: Proposed remediation (if known)

### Response Timeline

* **Initial Response**: Within 3 business days
* **Assessment Complete**: Within 7 business days
* **Fix Timeline**: Depends on severity (see below)

## Severity Classification

### Critical
* API key exposure or leakage
* Remote code execution via API parameters
* Authentication bypass
* **Fix Timeline**: 7 days

### High
* SQL injection via sqlfilters parameter
* Unauthorized access to Dolibarr data
* **Fix Timeline**: 14 days

### Medium
* Information disclosure (limited scope)
* Configuration file exposure
* **Fix Timeline**: 30 days

### Low
* Security best practice violations
* Minor information leaks
* **Fix Timeline**: 60 days or next release

## Security Considerations

### API Key Storage

- API keys are stored in `~/.dolibarr-api-mcp.json` with user-only file permissions
- Never commit API keys to version control
- The `.gitignore` excludes `.mcp.json` and environment files

### SQL Filter Safety

- The `buildSqlFilter()` helper escapes single quotes to prevent SQL injection via the `sqlfilters` parameter
- All user-provided search terms are wrapped with the helper before being sent to Dolibarr

### TLS Verification

- The `insecure` connection option disables TLS certificate verification
- This should only be used for local development with self-signed certificates
- Production connections should always use valid TLS certificates

## Attribution and Recognition

We acknowledge and appreciate responsible disclosure. With your permission, we will credit you in security advisories and release notes.

## Revision History

| Date | Version | Author | Notes |
| --- | --- | --- | --- |
| 2026-05-07 | 0.0.1 | jmiller | Initial security policy |