We actively support the following versions of ActivityPub MCP Server with security updates:
Version | Supported |
---|---|
1.x.x | ✅ |
< 1.0 | ❌ |
We take security vulnerabilities seriously. If you discover a security vulnerability, please follow these steps:
Please do not report security vulnerabilities through public GitHub issues. This could put users at risk.
Choose one of these methods to report security issues:
- Go to the Security tab of this repository
- Click "Report a vulnerability"
- Fill out the security advisory form with details
Send an email to the maintainers with:
- Subject:
[SECURITY] ActivityPub MCP Server - [Brief Description]
- Details: Full description of the vulnerability
- Impact: Potential impact and affected versions
- Reproduction: Steps to reproduce (if applicable)
When reporting a vulnerability, please include:
- Description: Clear description of the vulnerability
- Impact: What could an attacker accomplish?
- Affected versions: Which versions are affected?
- Reproduction steps: How to reproduce the issue
- Proof of concept: Code or screenshots (if applicable)
- Suggested fix: If you have ideas for a fix
We will acknowledge receipt of your vulnerability report within 48 hours.
We will investigate the issue and determine:
- Severity level
- Affected versions
- Potential impact
- Required fixes
We will develop and test a fix for the vulnerability.
- Day 0: Vulnerability reported
- Day 1-2: Acknowledgment sent
- Day 3-14: Investigation and fix development
- Day 14-30: Security release published
- Day 30+: Public disclosure (if appropriate)
We will:
- Release a patched version
- Publish a security advisory
- Credit the reporter (if desired)
- Use official packages: Only install from npm or official sources
- Verify checksums: Check package integrity when possible
- Keep updated: Regularly update to the latest version
- Secure environment variables: Never commit
.env
files - Use HTTPS: Always use HTTPS in production
- Limit access: Restrict network access to necessary ports
- Regular audits: Run
npm audit
regularly
- Monitor logs: Watch for suspicious activity
- Rate limiting: Enable rate limiting in production
- Input validation: Validate all external inputs
- Secure headers: Use appropriate HTTP security headers
- Input validation: Validate and sanitize all inputs
- Output encoding: Properly encode outputs
- Authentication: Implement proper authentication
- Authorization: Check permissions for all actions
- Minimal dependencies: Only include necessary dependencies
- Regular updates: Keep dependencies updated
- Security scanning: Use automated security scanning
- License compliance: Ensure license compatibility
- Signature verification: Verify HTTP signatures
- Actor validation: Validate remote actors
- Content filtering: Filter malicious content
- Rate limiting: Implement federation rate limits
- HTTP Signature verification is critical for federation security
- Actor impersonation is possible without proper verification
- Content injection through malicious ActivityPub objects
- Denial of service through federation flooding
- Command injection through malicious MCP requests
- Resource exhaustion through excessive MCP calls
- Information disclosure through verbose error messages
- Privilege escalation through improper tool access
- Prototype pollution in JavaScript objects
- Path traversal in file operations
- Code injection through eval or similar functions
- Memory leaks in long-running processes
We use the following tools to maintain security:
- npm audit: Dependency vulnerability scanning
- CodeQL: Static code analysis
- Dependabot: Automated dependency updates
- GitHub Security Advisories: Vulnerability tracking
We believe in responsible disclosure and will work with security researchers to:
- Understand the issue fully before disclosure
- Develop appropriate fixes before public release
- Coordinate disclosure timing to protect users
- Provide credit to researchers (if desired)
For security-related questions or concerns:
- GitHub Security Advisories: Report a vulnerability
- General security questions: Create a private issue or discussion
This security policy is provided in good faith. We reserve the right to:
- Determine the severity and impact of reported issues
- Decide on appropriate disclosure timelines
- Modify this policy as needed
Thank you for helping keep ActivityPub MCP Server secure! 🔒