We actively support the following versions of OpenZIM MCP with security updates:
| Version | Supported |
|---|---|
| 0.2.x | Yes |
| 0.1.x | No (deprecated) |
We take security vulnerabilities seriously and appreciate your help in keeping OpenZIM MCP secure.
Please DO NOT report sensitive security vulnerabilities through public GitHub issues.
Instead, please report them privately using one of these methods:
- Go to the Security tab of this repository
- Click "Report a vulnerability"
- Fill out the vulnerability report form
- Submit the report
Send an email to: security@[project-domain] (replace with actual email)
Include in your email:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes
- Your contact information for follow-up
For highly sensitive issues, you can use PGP encryption:
-----BEGIN PGP PUBLIC KEY BLOCK-----
[PGP public key would go here]
-----END PGP PUBLIC KEY BLOCK-----
For general security improvements, hardening suggestions, or non-exploitable security-related issues, you can:
- Open a public GitHub issue using the "Security Vulnerability Report" template
- Start a discussion in GitHub Discussions
Please include as much information as possible:
- Description: Clear description of the vulnerability
- Impact: What could an attacker accomplish?
- Reproduction: Step-by-step instructions to reproduce
- Environment: OS, Python version, OpenZIM MCP version
- ZIM Files: Information about test files used (if relevant)
- Proof of Concept: Code or commands demonstrating the issue
- Suggested Fix: Ideas for how to address the vulnerability
- References: Links to similar vulnerabilities or security resources
- CVSS Score: If you can calculate one
We are committed to responding to security reports promptly:
| Timeline | Action |
|---|---|
| 24 hours | Initial acknowledgment of your report |
| 72 hours | Initial assessment and severity classification |
| 7 days | Detailed response with our planned approach |
| 30 days | Target for fix development and testing |
| 45 days | Target for public disclosure (coordinated) |
Note: Complex vulnerabilities may require more time. We will keep you updated on our progress.
We classify vulnerabilities using the following criteria:
- Remote code execution
- Privilege escalation to system level
- Data exfiltration of sensitive information
- Local privilege escalation
- Authentication bypass
- Significant data exposure
- Information disclosure
- Denial of service
- Path traversal (limited impact)
- Minor information leaks
- Security misconfigurations
- Theoretical attacks with high complexity
OpenZIM MCP implements several security measures:
- Comprehensive path validation to prevent directory traversal
- Input sanitization for all user-provided data
- Type checking and validation using Pydantic
- Restricted file access to allowed directories only
- Secure error handling that doesn't leak sensitive information
- Resource limits to prevent abuse
- Regular security scanning with bandit
- Dependency vulnerability scanning
- Type safety with mypy
- Comprehensive testing including security tests
- Pre-commit hooks for security checks
- Automated security scanning in CI/CD
- Regular dependency updates
- Code review requirements
- ZIM files are processed using the libzim library
- Content is sanitized before processing
- Large files are handled with appropriate limits
- All file paths are validated against allowed directories
- Path traversal attacks are prevented through secure path resolution
- Symbolic links are handled safely
- Cache keys are validated to prevent cache poisoning
- Cached content has appropriate TTL limits
- Cache size is limited to prevent memory exhaustion
- Run OpenZIM MCP with minimal required privileges
- Use allowed directories to restrict file access
- Monitor logs for suspicious activity
- Keep dependencies updated
- Only use ZIM files from trusted sources
- Verify ZIM file integrity when possible
- Be cautious with user-provided ZIM files
- Use environment variables for sensitive configuration
- Avoid logging sensitive information
- Implement appropriate access controls
We follow responsible disclosure practices:
- Private Reporting: Vulnerabilities are reported privately
- Assessment: We assess and develop fixes privately
- Coordination: We coordinate with reporters on disclosure timing
- Public Disclosure: We disclose publicly after fixes are available
After a fix is available:
- Security Advisory: We publish a GitHub Security Advisory
- Release Notes: Security fixes are noted in release notes
- CVE Assignment: We request CVE assignment for significant vulnerabilities
- Credit: We credit reporters (unless they prefer anonymity)
Stay informed about security updates:
- GitHub Security Advisories: Watch this repository for security advisories
- Release Notes: Check release notes for security fixes
- Mailing List: Subscribe to our security mailing list (if available)
When security updates are released:
- Immediate: Critical vulnerabilities require immediate updates
- Scheduled: Lower severity issues may be bundled with regular releases
- Backports: Security fixes are backported to supported versions
Currently, we do not have a formal bug bounty program. However, we greatly appreciate security researchers who help improve our security posture.
We recognize security contributors through:
- Public acknowledgment in security advisories
- Credit in release notes
- Hall of fame in documentation (if desired)
- Primary Contact: [security email]
- Backup Contact: [backup email]
- Response Time: 24 hours for initial response
For general security questions or discussions:
- GitHub Discussions: Use the Security category
- Email: [general email]
We support security research conducted in good faith. We will not pursue legal action against researchers who:
- Report vulnerabilities responsibly through proper channels
- Do not access or modify data beyond what is necessary to demonstrate the vulnerability
- Do not perform testing on production systems without permission
- Respect user privacy and data protection laws
Please ensure your security research:
- Complies with applicable laws and regulations
- Respects user privacy and data protection
- Does not cause harm to our systems or users
- Follows coordinated disclosure practices
Thank you for helping to keep OpenZIM MCP secure!