This project is currently in its initial public release (v1.0).

At this stage:

• Only the latest released version is supported for security fixes.
• No long-term support (LTS) versions are available yet.
• Security fixes will be applied to the main branch and released as patch versions when applicable.

If you discover a security vulnerability, please do not open a public issue.

Instead, report it privately using one of the following methods:

• Email: <ADD_SECURITY_CONTACT_EMAIL>
• Private message or secure channel: <ADD_ALTERNATIVE_CONTACT>

Please include as much detail as possible to help us understand and reproduce the issue:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Affected versions
• Any proof-of-concept (if available)

The security policy applies to:

• The MCP SonarQube Server codebase
• MCP tools exposed by the server
• Configuration handling (environment variables, secrets)
• HTTP endpoints exposed by the server

Out of scope (for v1.0):

• Third-party services (SonarQube, Docker, MCP clients)
• Misconfigured client environments
• Compromised SonarQube tokens
• Denial-of-service caused by external infrastructure or networks

As an early-stage project, the following considerations apply:

• Authentication is based on SonarQube user tokens
• The server provides read-only access to SonarQube data (projects, issues, measures, rules, hotspots)
• No secrets are persisted; all credentials are provided via environment variables
• Users are responsible for securing their runtime environment
• Logging avoids sensitive data by design, but misconfiguration may expose information

When a vulnerability is reported:

1. The maintainers will acknowledge the report.
2. The issue will be validated and assessed for impact.
3. A fix will be developed and tested.
4. A patch release will be published if necessary.
5. The reporter may be credited (if desired).

Timelines are best-effort and may vary depending on severity and available resources.

We follow a responsible disclosure approach:

• Vulnerabilities should be reported privately.
• Public disclosure should only occur after a fix is released or explicitly agreed upon.
• Coordinated disclosure helps protect users and the ecosystem.

For users running this server in production-like environments:

• Use minimal-scope SonarQube tokens with read-only permissions
• Never commit .env files or secrets
• Restrict network access to the MCP server
• Monitor logs and usage patterns
• Rotate tokens periodically

Security-related fixes will be documented in:

• GitHub Releases
• Release Notes (when applicable)

We appreciate responsible security researchers and contributors who help improve the safety and reliability of this project.

Thank you for helping keep MCP SonarQube Server secure.