We release patches for security vulnerabilities in the following versions:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
The UCP Doctor team takes security bugs seriously. We appreciate your efforts to responsibly disclose your findings.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report security vulnerabilities by emailing:
If you prefer encrypted communication, you can use our PGP key (available upon request).
To help us better understand and resolve the issue, please include as much of the following information as possible:
- Type of issue (e.g., XSS, injection, authentication bypass)
- Full paths of source file(s) related to the manifestation of the issue
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- Any special configuration required to reproduce the issue
After you submit a report, we will:
- Acknowledge receipt within 48 hours
- Provide an initial assessment within 5 business days
- Keep you informed about our progress
- Notify you when the issue is fixed
- Publicly credit you for the discovery (unless you prefer to remain anonymous)
- Initial Response: Within 48 hours
- Status Update: Within 5 business days
- Fix Timeline: Varies by severity
- Critical: 1-7 days
- High: 7-14 days
- Medium: 14-30 days
- Low: 30-90 days
- We will work with you to understand the scope and impact of the vulnerability
- We will keep you informed as we develop and test fixes
- We ask that you give us a reasonable amount of time to fix the issue before public disclosure
- We will credit you in our security advisories (unless you wish to remain anonymous)
When we receive a security bug report:
- We confirm the issue and determine affected versions
- We audit code to find similar problems
- We prepare fixes for all supported versions
- We release new versions as soon as possible
- We publish a security advisory
We support safe harbor for security researchers who:
- Make a good faith effort to avoid privacy violations, data destruction, and service disruption
- Only interact with accounts you own or with explicit permission of the account holder
- Do not exploit the vulnerability beyond what is necessary to confirm it exists
- Report the vulnerability promptly to security@awesomeucp.com
- Keep the vulnerability confidential until we have issued a fix
We will not pursue legal action against researchers who follow these guidelines.
When deploying UCP Doctor:
- Keep dependencies updated - Run
npm auditregularly and update packages - Use HTTPS - Always serve UCP Doctor over HTTPS in production
- Validate inputs - The tool validates UCP implementations; ensure your own inputs are trusted
- Environment variables - Never commit sensitive credentials or API keys
- Monitor logs - Review application logs for suspicious activity
- Rate limiting - Consider implementing rate limiting for the diagnostic API endpoints
- CORS configuration - Configure CORS appropriately for your deployment
UCP Doctor fetches and validates external URLs provided by users. While we implement security measures:
- We set reasonable timeouts to prevent hanging requests
- We validate response formats before processing
- We limit the size of downloaded content
Recommendation: When deploying UCP Doctor, consider:
- Running it behind a firewall with restricted outbound access
- Implementing additional URL validation/allowlisting for your use case
- Setting up monitoring for unusual outbound request patterns
UCP Doctor validates JSON against Zod schemas. While Zod is designed to be safe:
- We limit recursion depth to prevent stack overflow attacks
- We validate input size before processing
- We handle validation errors gracefully
We regularly update dependencies to patch known vulnerabilities. You can check the current security status:
npm auditWe would like to thank the following researchers for responsibly disclosing security issues:
- No reports yet
If you have questions about this security policy, please email security@awesomeucp.com.