The following versions of operaton-mcp currently receive security updates:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
Please do not report security vulnerabilities through public GitHub issues.
Use GitHub Security Advisories to disclose vulnerabilities privately.
When submitting a report, please include:
- A clear explanation of the vulnerability and its potential consequences
- Affected versions and your system environment
- Step-by-step reproduction instructions, with proof-of-concept code or screenshots if available
- Your contact information for follow-up questions
- Your attribution preferences (credit, anonymous, or no mention)
We are a volunteer-led open-source project. While we do not offer a formal SLA, we aim to:
- Acknowledge your report within a few days of receipt.
- Investigate the issue and keep you informed of progress.
- Release a fix as soon as a patch is ready; security fixes are prioritised over feature work.
- Publish a GitHub Security Advisory once the fix is available, crediting the reporter on request.
- Vulnerabilities in the operaton-mcp source code
- Issues in the build or release process that could compromise artifact integrity
- Security issues in official npm releases
- Denial-of-service attacks against the Operaton REST API itself
- Vulnerabilities in third-party libraries (report those to the relevant upstream project)
- Social engineering attacks
- Local exploits that do not involve privilege escalation
operaton-mcp is released under the Apache License 2.0. It is maintained by volunteers on a best-effort basis. There are no contractual commitments or service-level agreements of any kind. By participating in responsible disclosure, you agree that your report will be handled in good faith.