We actively support and provide security updates for the following versions:

Please do not report security vulnerabilities through public GitHub issues.

1. Go to the Security Advisories page
2. Click "Report a vulnerability"
3. Fill out the security advisory form with details

If you prefer email communication, you can reach out to the maintainer:

• Email: Contact through GitHub profile
• Response Time: We aim to respond within 48 hours

When reporting a security vulnerability, please include:

• Type of vulnerability (e.g., SQL injection, authentication bypass, data exposure)
• Component affected (specific MCP tool, database connection, etc.)
• MySQL version(s) where the vulnerability exists
• Environment details (deployment method, permissions, extensions)

• Step-by-step reproduction guide
• Sample configuration (with sensitive data removed)
• Expected vs actual behavior
• Potential impact assessment

• Immediate workarounds (if any)
• Proposed fixes (if you have suggestions)
• Affected user base (estimation)

Our MCP server handles sensitive database operations. Key security areas include:

• Database Connection Security: Connection string handling, credential management
• Query Safety: SQL injection prevention, query validation
• Data Exposure: Sensitive information masking in outputs
• Access Control: Permission requirements, privilege escalation prevention
• Network Security: Connection encryption, host validation
• Extension Security: Safe handling of pg_stat_statements and pg_stat_monitor data
• MCP Transport Security: Secure client-server communication

• Read-only Operations: All tools perform read-only database operations
• Input Validation: Query parameters are validated and sanitized
• Credential Masking: Passwords and sensitive data are masked in logs/outputs
• Least Privilege: Operates with minimal required database permissions
• Version Compatibility: Secure handling across MySQL 12-17

1. Initial Response: Within 48 hours of report
2. Vulnerability Assessment: Within 1 week
3. Fix Development: Timeline depends on severity
4. Security Release: Coordinated disclosure with reporter
5. Public Disclosure: After fix is available and users have time to update

We follow industry-standard CVSS scoring:

• Critical (9.0-10.0): Immediate attention, emergency release
• High (7.0-8.9): High priority, next planned release
• Medium (4.0-6.9): Normal priority, regular release cycle
• Low (0.1-3.9): Low priority, may be bundled with other updates

• Use dedicated database users with minimal required permissions
• Enable SSL/TLS for database connections
• Regularly rotate credentials and connection strings
• Monitor access logs for unusual activity
• Keep MySQL updated to latest supported version
• Secure extension data: Be aware that pg_stat_statements contains query text and execution statistics

• Avoid superuser permissions unless absolutely necessary
• Use connection pooling with appropriate limits
• Configure proper network isolation (VPC, firewalls)
• Enable audit logging in MySQL for sensitive environments
• Review MCP client access regularly

• Client authentication: Ensure secure MCP server access and authorized clients only
• Transport security: Use HTTPS for streamable-http mode in production
• Client validation: Monitor and restrict MCP client connections
• Environment variables: Secure storage of database credentials in client configurations

• Container isolation: Use non-root users in containers
• Secrets management: Use Docker secrets or secure environment variable injection
• Network security: Proper container network configuration and port restrictions
• Image security: Use official MySQL images and keep containers updated

We appreciate the security research community and will acknowledge researchers who report vulnerabilities responsibly:

• Public acknowledgment in release notes (if desired)
• Security researchers page recognition
• Direct communication throughout the process

For security-related questions or concerns:

• GitHub Security Advisories: Report a vulnerability
• General Security Questions: GitHub Discussions - Security
• Maintainer Contact: Available through GitHub profile

Thank you for helping keep MCP MySQL Operations and the community safe! 🛡️