| Version | Supported |
|---|---|
| 3.10.x | ✅ |
| 3.9.x | ✅ |
| < 3.9 | ❌ |
If you discover a security vulnerability in TappsMCP, please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities.
Instead, please email security concerns to the repository maintainers via GitHub's private vulnerability reporting:
- Go to the Security tab of this repository
- Click "Report a vulnerability"
- Fill in the details of the vulnerability
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgement: Within 48 hours
- Initial assessment: Within 1 week
- Fix release: Depends on severity (critical: ASAP, high: 1-2 weeks, medium/low: next release)
TappsMCP implements several security layers:
- Path validation: All file operations are validated against a project root boundary
- Secret scanning: Detects and redacts API keys, tokens, passwords, and PII
- RAG safety: Prompt injection detection on retrieved documentation
- Governance layer: Content filtering before tool responses
- Subprocess sandboxing: Timeouts and controlled environment for external tool execution
The following are in scope for security reports:
- Path traversal or boundary escape
- Prompt injection bypass in RAG safety filters
- Secret/PII leakage through tool outputs
- Command injection via subprocess execution
- Authentication/authorization bypass (when using HTTP transport)
The following are out of scope:
- Denial of service via resource exhaustion (mitigated by timeouts and limits)
- Vulnerabilities in upstream dependencies (report to those projects directly)
- Issues requiring physical access to the host machine