We take security seriously at GitScrum. This document outlines our security practices and how to report vulnerabilities.
| Version | Supported |
|---|---|
| 1.x.x | β Yes |
| < 1.0 | β No |
Please do not report security vulnerabilities through public GitHub issues.
- Email: security@gitscrum.com
- Subject:
[SECURITY] MCP Server - Brief Description - Include:
- Type of vulnerability
- Full path to the vulnerable file(s)
- Step-by-step reproduction instructions
- Proof-of-concept or exploit code (if available)
- Potential impact assessment
| Timeline | Action |
|---|---|
| 48 hours | Acknowledgment of your report |
| 7 days | Initial assessment and severity classification |
| 30 days | Fix development and testing |
| 45 days | Public disclosure (coordinated) |
We will:
- Keep you informed throughout the process
- Credit you in the security advisory (if desired)
- Not take legal action against good-faith researchers
- Secure Storage: Tokens are stored locally in
~/.gitscrum/with restricted permissions (0600) - No Credential Persistence: Passwords are never stored; only authentication tokens
- Token Isolation: Each user's token is stored separately
Login attempts are rate-limited to prevent brute force attacks:
| Protection | Value |
|---|---|
| Maximum attempts | 5 per email address |
| Window duration | 15 minutes |
| Lockout period | 30 minutes |
- All API calls use HTTPS encryption
- Bearer token authentication on every request
- Request source identification via
X-Client-Sourceheader
The server provides informative error messages without exposing sensitive information:
| Status | Handling |
|---|---|
401 |
Generic "Authentication failed" message |
403 |
Permission context without internal details |
5xx |
Generic server error without stack traces |
-
Protect Your Tokens
- Never share your authentication token
- Don't commit tokens to version control
- Re-authenticate if you suspect compromise
-
Environment Variables
- Use
GITSCRUM_TOKENonly in trusted environments - Never expose tokens in logs or output
- Regularly rotate tokens if using environment variables
- Use
-
Network Security
- Use the server only on trusted networks
- Be cautious with custom
GITSCRUM_API_URLsettings
-
Code Review
- All changes require security-focused review
- Watch for injection vulnerabilities
- Validate all user inputs
-
Dependencies
- Keep dependencies updated
- Run
npm auditregularly - Use only well-maintained packages
-
Testing
- Include security test cases
- Test error handling paths
- Verify rate limiting works correctly
Before contributing code, ensure:
- No sensitive data in logs or error messages
- Input validation on all user-provided data
- Proper error handling without information leakage
- No hardcoded credentials or secrets
- Dependencies are up to date and audited
We follow responsible disclosure:
- Private Reporting: Issues are reported privately first
- Assessment: Our team evaluates severity and impact
- Fix Development: A patch is developed and tested
- Coordinated Disclosure: Public disclosure after fix is available
- CVE Assignment: Critical vulnerabilities receive CVE identifiers
For security concerns:
- Email: security@gitscrum.com
- PGP Key: Available upon request
For general questions:
- GitHub Issues: For non-security bugs
- Website: gitscrum.com
Thank you for helping keep GitScrum Studio MCP Server secure! π