Ismail/penpot-mcp-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2b8225f752f4ad51fdfdb6e86c8b0917755917fc
penpot-mcp-server/SECURITY.md

173 lines
5.5 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Security Policy
## Supported Versions
We actively support the following versions of Penpot MCP with security updates:
| Version | Supported |
| ------- | ------------------ |
| 0.1.x | :white_check_mark: |
| < 0.1 | :x: |
## Reporting a Vulnerability
The Penpot MCP team takes security seriously. If you discover a security vulnerability, please follow these steps:
### 🔒 Private Disclosure
**DO NOT** create a public GitHub issue for security vulnerabilities.
Instead, please email us at: **security@montevive.ai**
### 📧 What to Include
Please include the following information in your report:
- **Description**: A clear description of the vulnerability
- **Impact**: What could an attacker accomplish?
- **Reproduction**: Step-by-step instructions to reproduce the issue
- **Environment**: Affected versions, operating systems, configurations
- **Proof of Concept**: Code, screenshots, or other evidence (if applicable)
- **Suggested Fix**: If you have ideas for how to fix the issue
### 🕐 Response Timeline
- **Initial Response**: Within 48 hours
- **Triage**: Within 1 week
- **Fix Development**: Depends on severity and complexity
- **Public Disclosure**: After fix is released and users have time to update
### 🏆 Recognition
We believe in recognizing security researchers who help keep our users safe:
- **Security Hall of Fame**: Public recognition (with your permission)
- **CVE Assignment**: For qualifying vulnerabilities
- **Coordinated Disclosure**: We'll work with you on timing and attribution
## Security Considerations
### 🔐 Authentication & Credentials
- **Penpot Credentials**: Store securely using environment variables or secure credential management
- **API Keys**: Never commit API keys or passwords to version control
- **Environment Files**: Add `.env` files to `.gitignore`
### 🌐 Network Security
- **HTTPS Only**: Always use HTTPS for Penpot API connections
- **Certificate Validation**: Don't disable SSL certificate verification
- **Rate Limiting**: Respect API rate limits to avoid service disruption
### 🛡️ Input Validation
- **User Input**: All user inputs are validated and sanitized
- **File Uploads**: Penpot file parsing includes safety checks
- **API Responses**: External API responses are validated before processing
### 🔍 Data Privacy
- **Minimal Data**: We only access necessary Penpot data
- **No Storage**: Design data is not permanently stored by default
- **User Control**: Users control what data is shared with AI assistants
### 🚀 Deployment Security
- **Dependencies**: Regularly update dependencies for security patches
- **Permissions**: Run with minimal required permissions
- **Isolation**: Use virtual environments or containers
## Security Best Practices for Users
### 🔧 Configuration
```bash
# Use environment variables for sensitive data
export PENPOT_USERNAME="your_username"
export PENPOT_PASSWORD="your_secure_password"
export PENPOT_API_URL="https://design.penpot.app/api"
# Or use a .env file (never commit this!)
echo "PENPOT_USERNAME=your_username" > .env
echo "PENPOT_PASSWORD=your_secure_password" >> .env
echo "PENPOT_API_URL=https://design.penpot.app/api" >> .env
```
### 🔒 Access Control
- **Principle of Least Privilege**: Only grant necessary Penpot permissions
- **Regular Audits**: Review and rotate credentials regularly
- **Team Access**: Use team accounts rather than personal credentials for shared projects
### 🖥️ Local Development
```bash
# Keep your development environment secure
chmod 600 .env # Restrict file permissions
git add .env # This should fail if .gitignore is properly configured
```
### 🤖 AI Integration
- **Data Sensitivity**: Be mindful of what design data you share with AI assistants
- **Public vs Private**: Consider using private AI instances for sensitive designs
- **Audit Logs**: Monitor what data is being accessed and shared
## Vulnerability Disclosure Policy
### 🎯 Scope
This security policy applies to:
- **Penpot MCP Server**: Core MCP protocol implementation
- **API Client**: Penpot API integration code
- **CLI Tools**: Command-line utilities
- **Documentation**: Security-related documentation
### ⚠️ Out of Scope
The following are outside our direct control but we'll help coordinate:
- **Penpot Platform**: Report to Penpot team directly
- **Third-party Dependencies**: We'll help coordinate with upstream maintainers
- **AI Assistant Platforms**: Report to respective platform security teams
### 🚫 Testing Guidelines
When testing for vulnerabilities:
- **DO NOT** test against production Penpot instances without permission
- **DO NOT** access data you don't own
- **DO NOT** perform destructive actions
- **DO** use test accounts and data
- **DO** respect rate limits and terms of service
## Security Updates
### 📢 Notifications
Security updates will be announced through:
- **GitHub Security Advisories**: Primary notification method
- **Release Notes**: Detailed in version release notes
- **Email**: For critical vulnerabilities (if you've subscribed)
### 🔄 Update Process
```bash
# Always update to the latest version for security fixes
pip install --upgrade penpot-mcp
# Or with uv
uv add penpot-mcp@latest
```
## Contact
- **Security Issues**: security@montevive.ai
- **General Questions**: Use [GitHub Discussions](https://github.com/montevive/penpot-mcp/discussions)
- **Bug Reports**: [GitHub Issues](https://github.com/montevive/penpot-mcp/issues)
---
Thank you for helping keep Penpot MCP and our community safe! 🛡
Reference in New Issue View Git Blame Copy Permalink