We release patches for security vulnerabilities in the following versions:

We take security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.

Please report security vulnerabilities by emailing security@devora.no with the subject line "SECURITY: [Brief Description]".

Please include the following information in your report:

• Description: A clear description of the vulnerability
• Steps to Reproduce: Detailed steps to reproduce the issue
• Impact: Potential impact of the vulnerability
• Environment: OS, Node.js version, and any other relevant details
• Suggested Fix: If you have suggestions for how to fix the issue

• Acknowledgment: We will acknowledge receipt of your report within 48 hours
• Initial Assessment: We will provide an initial assessment within 5 business days
• Regular Updates: We will keep you informed of our progress
• Resolution: We will work with you to resolve the issue

This MCP server handles sensitive data including:

• API Keys: All provider API keys are redacted from logs and error messages
• Code Context: The collect_context tool may access proprietary code from your workspace
• Prompt Data: User prompts and enhanced outputs are processed by external AI providers

• Environment Variables: Store API keys in environment variables, never in code
• Logging: Set LOG_LEVEL=error in production to minimize log exposure
• Network Security: Use HTTPS for all API communications
• Access Control: Use Bearer token authentication for HTTP transport
• Code Review: Review all code before deployment

• No Data Storage: This server does not store user data or API keys
• Temporary Processing: All data is processed in memory and not persisted
• Provider Privacy: Check your AI provider's privacy policies for data handling

For security-related questions or to report vulnerabilities:

• Email: security@devora.no
• Response Time: Within 48 hours
• PGP Key: Available upon request

Security updates will be released as patch versions (e.g., 0.1.1, 0.1.2) and will be announced via:

• GitHub releases
• NPM package updates
• Security advisories in the repository

We would like to thank the following security researchers who have helped improve our security:

• [Your name here]

This security policy is licensed under the same terms as the project (MIT License).