Skip to content

Security: mcp-tool-shop-org/tool-compass

Security

Report a vulnerability

SECURITY.md

Security Policy

Supported Versions

Version Supported
2.x
1.x

Reporting a Vulnerability

We take security seriously. If you discover a security vulnerability in Tool Compass, please report it responsibly.

Preferred channel — GitHub Security Advisories

Open a private advisory through GitHub's confidential channel: github.com/mcp-tool-shop-org/tool-compass/security/advisories/new. Reports through this path are end-to-end encrypted via GitHub and are automatically routed to the maintainers — no PGP key handoff is required.

Fallback — email

If GitHub Security Advisories are unavailable for any reason, email 64996768+mcp-tool-shop@users.noreply.github.com. PGP / sigstore keys are not currently published; use the GitHub Advisories path above whenever possible.

How to Report

  1. Do NOT open a public GitHub issue for security vulnerabilities.
  2. Use the preferred channel above; fall back to email only if needed.
  3. Include:
    • Description of the vulnerability
    • Steps to reproduce
    • Potential impact
    • Any suggested fixes (optional)

What to Expect

  • Acknowledgment: Within 48 hours
  • Initial Assessment: Within 5 business days
  • Resolution Timeline (tightened on the Critical lane per industry practice — see RFC 9116 + FIRST.org Vulnerability Coordination Maturity Model):
    • Critical: 72 hours to acknowledged remediation plan; 7 days to patch
    • High: 7 days
    • Medium: 30 days
    • Low: 90 days

Disclosure Policy

  • We follow Coordinated Vulnerability Disclosure
  • We will credit reporters in release notes (unless anonymity requested)
  • Please allow us reasonable time to fix before public disclosure

Security Considerations

Known Security Boundaries

Tool Compass is designed as a local development tool. It has these security characteristics:

Component Security Model
Gradio UI No authentication by default
MCP Gateway Trusts backend servers
Analytics DB Local SQLite, no encryption
Embeddings Sent to local Ollama

Production Deployment

If deploying Tool Compass in a shared environment:

  1. Enable Gradio authentication:

    demo.launch(auth=("user", "password"))

  2. Use environment variables for sensitive config (not compass_config.json)

  3. Network isolation: Run behind a reverse proxy with auth

  4. Rate limiting: Add nginx/Cloudflare rate limiting for the UI

Data Privacy

  • Search queries are logged to compass_analytics.db
  • Tool call arguments are hashed (not stored in plain text)
  • Embeddings are generated locally via Ollama
  • No telemetry is sent to external services

Dependencies

We monitor dependencies for vulnerabilities using:

  • GitHub Dependabot
  • pip-audit in CI

To check locally:

pip install pip-audit
pip-audit

Security Checklist for Contributors

  • No hardcoded secrets or credentials
  • Input validation on user-provided data
  • SQL queries use parameterized statements
  • File paths are validated before access
  • Error messages don't leak sensitive info
  • Dependencies are pinned to specific versions

Contact

For security concerns: use the preferred channel described above (GitHub Security Advisories).

For general questions: Open a GitHub Discussion.

There aren't any published security advisories