We take security vulnerabilities seriously. If you discover a security issue, please report it to us by following these steps:
- On GitHub, navigate to the main page of the repository.
- Under the repository name, click the Security tab.
- Click Report a vulnerability to open the advisory form.
- Fill in the form with as much detail as possible.
We will do our best to respond to your report within 48 hours.
This project adheres to the Positronikal Repository Security Rules. Please refer to these rules for more information on our security practices.
- Initial Response: Within 48 hours of report
- Severity Assessment: Within 72 hours
- Patch Development: Critical issues within 7 days, others within 30 days
- Public Disclosure: After patch is available and deployed
- Critical: Remote code execution, privilege escalation, data breach
- High: Shell injection, path traversal, authentication bypass
- Medium: Information disclosure, denial of service
- Low: Minor security improvements
We practice responsible disclosure and request that reporters:
- Allow reasonable time for patching before public disclosure
- Avoid testing on production systems without authorization
- Do not exploit vulnerabilities beyond proof-of-concept
- Coordinate disclosure timing with maintainers
ProcExecMCP includes multiple security layers:
- No shell injection vulnerabilities (shell=False enforcement)
- Path traversal prevention
- Resource exhaustion protection
- Error message sanitization
- Comprehensive security test suite
For detailed security architecture, see etc/SECURITY_ARCHITECTURE.md.