27 lines
1.1 KiB
Markdown
27 lines
1.1 KiB
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
Security fixes are applied to the latest release and the `main` branch.
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
Do not open a public issue for an undisclosed vulnerability. Use the
|
|
repository host's private security-reporting feature when available, or contact
|
|
the repository owner privately. Include affected versions, impact, reproduction
|
|
steps, and any suggested mitigation. Maintainers should acknowledge a report
|
|
within seven days and coordinate disclosure after a fix is available.
|
|
|
|
## Deployment Baseline
|
|
|
|
MAESTRO can execute tools, browser actions, and optionally SSH commands. Treat
|
|
it as a privileged service:
|
|
|
|
- Keep the service bound to localhost until OAuth authentication is configured.
|
|
- Put internet-facing deployments behind a TLS reverse proxy.
|
|
- Set `safety.bash_sandbox: always` for multi-user deployments.
|
|
- Keep `MCP_ENCRYPTION_KEY`, OAuth secrets, SSH keys, and provider credentials
|
|
outside the repository and rotate them after suspected exposure.
|
|
- Restrict `/metrics` with a bearer token or an explicit source-IP allowlist.
|
|
- Review enabled tools and integrations before granting access to untrusted users.
|