We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating:

We take the security of HUMMBL MCP Server seriously. If you believe you have found a security vulnerability, please report it to us as described below.

• Open a public GitHub issue
• Post about it in public forums or social media
• Attempt to exploit the vulnerability beyond the minimum required for proof of concept

Report security vulnerabilities to: security@hummbl.io

Please include the following information in your report:

• Type of vulnerability (e.g., input validation, authentication bypass, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• Location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

1. Initial Response: We will acknowledge your email within 48 hours
2. Investigation: We will investigate the issue and determine its severity
3. Resolution: We will develop and test a fix
4. Disclosure: We will coordinate public disclosure with you
5. Credit: We will credit you in our security advisory (unless you prefer to remain anonymous)

When using HUMMBL MCP Server:

• The server validates all inputs using Zod schemas
• Problem descriptions are sanitized before processing
• Model codes are validated against regex patterns

• Runtime dependencies (v1.2.x): @modelcontextprotocol/sdk, zod, @opentelemetry/api, @opentelemetry/core, @opentelemetry/sdk-trace-node, @opentelemetry/exporter-trace-otlp-http, @opentelemetry/resources, @opentelemetry/semantic-conventions, @upstash/redis, hono, jspdf, nanoid. See package.json for current pinned versions.
• Dependencies are regularly updated via Dependabot.
• All dependencies are scanned for known vulnerabilities in CI.

• The server runs with minimal privileges.
• No file system access beyond read-only configuration.
• Two operating modes (selected at startup):
  • local-only (default when HUMMBL_API_KEY is unset): no outbound network connections except MCP protocol communication over stdio.
  • hybrid (when HUMMBL_API_KEY is set): the recommend_models tool makes authenticated HTTPS requests to the HUMMBL recommendation API. No other tools make network requests. The OpenTelemetry exporter may emit traces to a configured OTLP collector (operator-opt-in).
• All errors are logged to stderr (MCP protocol requires clean stdout) without exposing sensitive information.

When integrating HUMMBL MCP Server:

1. Authentication: Use Claude Desktop's built-in authentication
2. Network: Run on localhost only (default)
3. Permissions: Grant minimal required permissions
4. Monitoring: Enable logging to detect unusual activity
5. Updates: Keep the server updated to the latest version

• Problem descriptions accept arbitrary text input
• Current implementation has basic length validation
• Future versions will include enhanced content filtering

• No rate limiting is implemented at the server level
• Claude Desktop provides rate limiting at the client level
• Consider implementing additional rate limiting for production deployments

• Server logs to stderr for MCP protocol compliance
• No persistent audit logs are maintained
• Consider external log aggregation for compliance requirements

Security updates will be released as:

• Critical: Immediate patch release (within 24 hours)
• High: Patch release within 7 days
• Medium: Patch release within 30 days
• Low: Included in next regular release

Subscribe to our GitHub releases to receive security notifications.

We practice responsible disclosure:

1. Security fixes are developed privately
2. Coordinated disclosure with reporters
3. Public security advisories published with fixes
4. CVE IDs assigned for critical vulnerabilities

• Security Issues: security@hummbl.io
• General Questions: reuben@hummbl.io
• GitHub Issues: hummbl-dev/mcp-server/issues (non-security only)

Thank you for helping keep HUMMBL MCP Server and its users safe!