Only the latest release on main receives security fixes. Older tagged
releases are not patched — pin a recent version in your dependencies.
| Version | Supported |
|---|---|
| latest | ✅ |
| < latest | ❌ |
Please do not open a public GitHub issue for security problems.
Email security reports to info@ginkelsoft.com with:
- A clear description of the issue and its impact.
- Steps to reproduce (proof-of-concept welcomed, but optional).
- The version / commit SHA you tested against.
- Optionally, a suggested fix.
You will receive an acknowledgement within 3 working days. We aim to ship a fix or mitigation within 30 days of a confirmed report, faster for high-severity issues.
In scope:
- Code in this repository, including the MCP server, HTTP client, and CI workflows.
- Documentation that could lead users to misconfigure their token storage or transport in a dangerous way.
Out of scope:
- Vulnerabilities in upstream dependencies — please report those to the
respective projects (e.g.
httpx,mcp,starlette). If a vulnerable dependency is being used here, we do want to know so we can bump it. - Issues in the Hetzner APIs themselves — report those to Hetzner.
- Social-engineering, phishing, or physical access attacks.
Once a fix is available, the reporter is credited in the release notes unless they prefer to remain anonymous. We coordinate the public disclosure timing with the reporter where reasonable.