We actively support the following versions with security updates:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
If you discover a security vulnerability in this project, please report it responsibly:
- DO NOT create a public issue for security vulnerabilities
- Email security concerns to: mukuljangra5@gmail.com
- Include detailed information about the vulnerability
- Provide steps to reproduce the issue
- Include your contact information
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested fix (if available)
- Your contact information
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Varies by severity
- Critical: 1-3 days
- High: 1-2 weeks
- Medium: 2-4 weeks
- Low: Next release cycle
- Environment Variables: Always store database credentials in environment variables, never hardcode them
- Network Security: Run the server behind a firewall or VPN in production
- Database Permissions: Use read-only database users when possible
- SSL/TLS: Enable SSL connections to your MySQL server
- Access Control: Restrict access to the MCP server to authorized users only
- Regular Updates: Keep dependencies and MySQL server updated
- Input Validation: All SQL queries are validated before execution
- Parameterized Queries: Use parameterized queries to prevent SQL injection
- Error Handling: Avoid exposing sensitive information in error messages
- Logging: Be careful not to log sensitive information like passwords
- Code Review: All changes undergo security review
- SQL Injection Protection: Parameterized queries and input validation
- Read-Only Mode: Option to run in read-only mode for safety
- Connection Security: SSL/TLS support for database connections
- Access Logging: Comprehensive logging of database operations
- Privilege Auditing: Built-in tools to audit database privileges
- Error Sanitization: Error messages are sanitized to prevent information disclosure
We are committed to working with security researchers and the community to verify and address security vulnerabilities. We ask that you:
- Give us reasonable time to address issues before public disclosure
- Avoid accessing, modifying, or deleting data during testing
- Only test against systems you own or have permission to test
- Respect user privacy and comply with applicable laws
Security updates are released as patch versions (e.g., 1.0.1, 1.0.2) and are clearly marked in the release notes. Subscribe to repository notifications to stay informed about security updates.
We appreciate the security research community and will acknowledge researchers who responsibly disclose vulnerabilities (unless they prefer to remain anonymous).
For security-related questions or concerns:
- Email: mukuljangra5@gmail.com
- GitHub: Create a private vulnerability report
- Encrypted Communication: Available upon request
Note: This security policy is subject to change. Please check back regularly for updates.