Skip to content

Security Policy

Reporting a Vulnerability

We take the security of biomcp seriously. If you believe you have found a security vulnerability, please report it to us as described below.

Please do NOT:

  • Open a public GitHub issue
  • Discuss the vulnerability publicly before it has been addressed

Please DO:

  • Email us at [email protected]
  • Include the word "SECURITY" in the subject line
  • Provide detailed steps to reproduce the vulnerability
  • Include the impact and potential attack scenarios

What to expect:

  • Acknowledgment: Within 24 hours
  • Initial Assessment: Within 72 hours
  • Status Updates: At least every 5 business days
  • Resolution Target: Critical issues within 30 days

Scope

Vulnerabilities in the following areas are in scope:

  • Authentication bypass or privilege escalation
  • Data exposure or unauthorized access to user queries
  • Injection vulnerabilities (SQL, command, etc.)
  • Cross-site scripting (XSS) or request forgery (CSRF)
  • Denial of service vulnerabilities
  • Insecure cryptographic implementations
  • Third-party API key exposure

Out of Scope:

  • Vulnerabilities in third-party services (PubMed, bioRxiv, etc.)
  • Issues in dependencies with existing patches
  • Social engineering attacks
  • Physical attacks
  • Attacks requiring authenticated admin access

Disclosure Policy

  • We will work with you to understand and validate the issue
  • We will prepare a fix and release it as soon as possible
  • We will publicly disclose the vulnerability after the fix is released
  • We will credit you for the discovery (unless you prefer to remain anonymous)

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Contact

Security Team Email: [email protected] PGP Key: Available upon request

Thank you for helping keep biomcp and our users safe!