If you discover a security vulnerability in Argus MCP, please do not open a public GitHub issue.

Report it privately via GitHub Security Advisories or by email to the maintainers.

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested remediation

You will receive a response within 48 hours. We will work with you to understand, validate, and patch the issue before any public disclosure.

• No secrets in source — all credentials are loaded from .env (excluded from git). See .env.example for required variables.
• Bearer token auth — all MCP endpoints require a valid Bearer token. Rotate via .env + PM2 restart.
• Least-privilege database role — the app connects as threat_intel, a restricted PostgreSQL role with no DDL access and no superuser privileges.
• Passive intelligence only — Argus ingests from public threat feeds. It performs no active scanning, penetration testing, or offensive operations.
• No user data — Argus stores only public threat intelligence. It does not process or store end-user data.