We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
If you discover a security vulnerability, please DO NOT open a public issue.
Instead, please report it by emailing: miiitch@gmail.com
Include the following information in your report:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if you have one)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 7 days
- Fix timeline: Depends on severity
- Critical: 1-7 days
- High: 7-14 days
- Medium: 14-30 days
- Low: 30-90 days
- Public disclosure: After fix is released
When using this project:
- Keep dependencies updated: Run
npm auditregularly - Use official releases: Don't use code from arbitrary commits
- Review permissions: The extension only needs MCP server access
- No credentials: This tool doesn't require Azure credentials (uses public pricing API)
- This tool queries the public Azure Retail Prices API (no authentication required)
- No sensitive data is collected or stored
- MCP server runs locally (no data sent to external servers except Azure pricing API)
We follow responsible disclosure practices:
- Security issues are fixed privately
- Affected users are notified
- Public disclosure after patch is available
- Credit given to reporters (if desired)
We don't currently have a bug bounty program, but we greatly appreciate security researchers who help keep our users safe.
If you have questions about security, email: miiitch@gmail.com
Microsoft, Azure, Terraform, and GitHub are trademarks of their respective owners.
This is an independent open-source project and is not affiliated with, endorsed by, or sponsored by Microsoft Corporation, HashiCorp, Inc., or GitHub, Inc.
This tool is designed to work with Microsoft Azure services and the Terraform infrastructure-as-code tool.