Jonathan Miller
73c7d5554f
Changelog Validation / Validate CHANGELOG.md (push) Has been cancelled
Standards Compliance / Secret Scanning (push) Has been cancelled
Standards Compliance / License Header Validation (push) Has been cancelled
Standards Compliance / Repository Structure Validation (push) Has been cancelled
Standards Compliance / Coding Standards Check (push) Has been cancelled
Standards Compliance / Workflow Configuration Check (push) Has been cancelled
Standards Compliance / Documentation Quality Check (push) Has been cancelled
Standards Compliance / README Completeness Check (push) Has been cancelled
Standards Compliance / Git Repository Hygiene (push) Has been cancelled
Standards Compliance / Script Integrity Validation (push) Has been cancelled
Standards Compliance / Line Length Check (push) Has been cancelled
Standards Compliance / File Naming Standards (push) Has been cancelled
Standards Compliance / Insecure Code Pattern Detection (push) Has been cancelled
Standards Compliance / Version Consistency Check (push) Has been cancelled
CodeQL Security Scanning / Analyze (actions) (push) Has been cancelled
Standards Compliance / Dead Code Detection (push) Has been cancelled
Standards Compliance / File Size Limits (push) Has been cancelled
Standards Compliance / Binary File Detection (push) Has been cancelled
Standards Compliance / TODO/FIXME Tracking (push) Has been cancelled
Standards Compliance / Code Complexity Analysis (push) Has been cancelled
Standards Compliance / Code Duplication Detection (push) Has been cancelled
Standards Compliance / Broken Link Detection (push) Has been cancelled
Standards Compliance / API Documentation Coverage (push) Has been cancelled
Standards Compliance / Accessibility Check (push) Has been cancelled
CodeQL Security Scanning / Analyze (javascript) (push) Has been cancelled
Standards Compliance / Performance Metrics (push) Has been cancelled
Standards Compliance / Dependency Vulnerability Scanning (push) Has been cancelled
Standards Compliance / Unused Dependencies Check (push) Has been cancelled
Standards Compliance / Terraform Configuration Validation (push) Has been cancelled
CodeQL Security Scanning / Security Scan Summary (push) Has been cancelled
Standards Compliance / Enterprise Readiness Check (push) Has been cancelled
Standards Compliance / Repository Health Check (push) Has been cancelled
Standards Compliance / Compliance Summary (push) Has been cancelled
Sync Version from README / Propagate README version (push) Has been cancelled
Add all required MokoStandards documentation files. Refactor inline sqlfilters strings to use buildSqlFilter() and searchFilter() helpers for safe query construction with proper escaping. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
3.3 KiB
3.3 KiB
Security Policy
Purpose and Scope
This document defines the security vulnerability reporting, response, and disclosure policy for dolibarr-api-mcp and all repositories governed by MokoStandards.
Supported Versions
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
Only the current major version receives security updates.
Reporting a Vulnerability
Report security vulnerabilities via Gitea issue (preferred): https://git.mokoconsulting.tech/MokoConsulting/dolibarr-api-mcp/issues/new?template=security.yaml
Or email: hello@mokoconsulting.tech
Where to Report
DO NOT create public issues for security vulnerabilities.
Report security vulnerabilities privately to:
Email: hello@mokoconsulting.tech
Subject Line: [SECURITY] Brief Description
What to Include
- Description: Clear explanation of the vulnerability
- Impact: Potential security impact and severity assessment
- Affected Versions: Which versions are vulnerable
- Reproduction Steps: Detailed steps to reproduce the issue
- Proof of Concept: Code or demonstration (if applicable)
- Suggested Fix: Proposed remediation (if known)
Response Timeline
- Initial Response: Within 3 business days
- Assessment Complete: Within 7 business days
- Fix Timeline: Depends on severity (see below)
Severity Classification
Critical
- API key exposure or leakage
- Remote code execution via API parameters
- Authentication bypass
- Fix Timeline: 7 days
High
- SQL injection via sqlfilters parameter
- Unauthorized access to Dolibarr data
- Fix Timeline: 14 days
Medium
- Information disclosure (limited scope)
- Configuration file exposure
- Fix Timeline: 30 days
Low
- Security best practice violations
- Minor information leaks
- Fix Timeline: 60 days or next release
Security Considerations
API Key Storage
- API keys are stored in
~/.dolibarr-api-mcp.jsonwith user-only file permissions - Never commit API keys to version control
- The
.gitignoreexcludes.mcp.jsonand environment files
SQL Filter Safety
- The
buildSqlFilter()helper escapes single quotes to prevent SQL injection via thesqlfiltersparameter - All user-provided search terms are wrapped with the helper before being sent to Dolibarr
TLS Verification
- The
insecureconnection option disables TLS certificate verification - This should only be used for local development with self-signed certificates
- Production connections should always use valid TLS certificates
Attribution and Recognition
We acknowledge and appreciate responsible disclosure. With your permission, we will credit you in security advisories and release notes.
Revision History
| Date | Version | Author | Notes |
|---|---|---|---|
| 2026-05-07 | 0.0.1 | jmiller | Initial security policy |