We release patches for security vulnerabilities. Which versions are eligible receiving such patches depend on the CVSS v3.0 Rating:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
Please report vulnerabilities by emailing [email protected]. Please include:
- Description of the vulnerability
- Steps to reproduce the issue
- Possible impact
- Suggested fix (if any)
We will acknowledge receipt within 24 hours and provide updates on remediation progress.
- All file paths are validated and sanitized
- Document inputs are processed in isolated environments
- User inputs are escaped and validated
- File type restrictions are enforced
- Temporary files are created in secure directories
- All temporary files are cleaned up after processing
- File size limits are enforced to prevent DoS attacks
- Malicious file detection and rejection
- Regular security updates for all dependencies
- Vulnerability scanning using automated tools
- Minimal dependency footprint to reduce attack surface
- Security-focused dependency selection
- LibreOffice processes run with restricted permissions
- Browser instances are sandboxed
- Command execution is parameterized to prevent injection
- Network access is restricted for processing operations
- No data is sent to external servers
- All processing happens locally
- Sensitive data is not logged
- Configuration files are protected with appropriate permissions
- Keep the software updated to the latest version
- Use strong file permissions for sensitive documents
- Regularly audit the documents being processed
- Monitor system resources during processing
- Run security scans before commits
- Follow secure coding practices
- Validate all inputs and outputs
- Use parameterized queries for any database operations
- Day 0: Vulnerability reported
- Day 1: Acknowledgment sent to reporter
- Day 3: Initial assessment completed
- Day 7: Fix developed and tested
- Day 14: Security update released
- Day 30: Public disclosure (if applicable)
- Security Email: [email protected]
- GitHub Security Issues: Use GitHub's private vulnerability reporting feature
- Emergency Contact: Use security email with "URGENT" in subject line
We use the following security scanning tools:
- npm audit: Regular dependency vulnerability scanning
- CodeQL: Static analysis for security vulnerabilities
- Dependabot: Automated dependency updates
- Trivy: Container and file system scanning
When deploying this MCP server:
- Ensure proper file system permissions
- Use principle of least privilege
- Configure appropriate resource limits
- Monitor system logs for suspicious activity
- Implement network segmentation if applicable
In case of a security incident:
- Immediately assess the impact
- Isolate affected systems if necessary
- Document the incident
- Apply patches or workarounds
- Notify affected users if data exposure occurred
- Conduct post-incident review
Security updates will be:
- Released as patch versions (1.0.x)
- Announced via GitHub releases
- Documented in CHANGELOG.md
- Backported to supported versions when feasible