Skip to content

Security: ginkelsoft-development/mcp-hetzner

Security

SECURITY.md

Security Policy

Supported versions

Only the latest release on main receives security fixes. Older tagged releases are not patched — pin a recent version in your dependencies.

Version Supported
latest
< latest

Reporting a vulnerability

Please do not open a public GitHub issue for security problems.

Email security reports to info@ginkelsoft.com with:

  • A clear description of the issue and its impact.
  • Steps to reproduce (proof-of-concept welcomed, but optional).
  • The version / commit SHA you tested against.
  • Optionally, a suggested fix.

You will receive an acknowledgement within 3 working days. We aim to ship a fix or mitigation within 30 days of a confirmed report, faster for high-severity issues.

Scope

In scope:

  • Code in this repository, including the MCP server, HTTP client, and CI workflows.
  • Documentation that could lead users to misconfigure their token storage or transport in a dangerous way.

Out of scope:

  • Vulnerabilities in upstream dependencies — please report those to the respective projects (e.g. httpx, mcp, starlette). If a vulnerable dependency is being used here, we do want to know so we can bump it.
  • Issues in the Hetzner APIs themselves — report those to Hetzner.
  • Social-engineering, phishing, or physical access attacks.

Disclosure

Once a fix is available, the reporter is credited in the release notes unless they prefer to remain anonymous. We coordinate the public disclosure timing with the reporter where reasonable.

There aren't any published security advisories