The following versions of NetMCP currently receive security updates:
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1.0 | ❌ |
As NetMCP is in active development (pre-1.0), only the latest minor version receives security patches. Users are strongly encouraged to stay on the most recent release.
We take the security of NetMCP seriously. If you discover a security vulnerability, please follow these steps:
- Use GitHub Security Advisories to privately report the vulnerability. This creates a confidential channel between you and the maintainers.
- Provide detailed information including:
- A clear description of the vulnerability
- Steps to reproduce the issue
- Affected versions and components
- Any proof-of-concept code or screenshots
- Potential impact assessment
- Allow time for response. We aim to acknowledge reports within 48 hours and provide a resolution timeline within 7 days.
- Do not open a public issue on the issue tracker for security vulnerabilities.
- Do not disclose the vulnerability publicly before we have had a reasonable time to investigate and release a fix.
- Do not test the vulnerability against production systems or networks that you do not own.
The following should be reported via regular GitHub Issues, not Security Advisories:
- General questions about using NetMCP
- Feature requests
- Non-security bugs (crashes, incorrect output, etc.)
- Already known and publicly documented issues
- Dependency vulnerabilities in transitive dependencies (unless they directly affect NetMCP's security posture)
When a vulnerability is reported, we follow this process:
- Acknowledge (within 48 hours) — Confirm receipt of the report and assign a tracking ID.
- Investigate (within 7 days) — Reproduce the vulnerability and assess impact.
- Fix (within 14 days) — Develop and test a patch.
- Release — Publish a patched version and update the security advisory.
- Disclose — After users have had reasonable time to update (typically 30 days), publish a public advisory.
We classify vulnerabilities using the following severity levels:
| Level | Description | Response Time |
|---|---|---|
| Critical | Remote code execution, credential exposure | 48 hours |
| High | Authentication bypass, data leakage | 7 days |
| Medium | Denial of service, information disclosure | 14 days |
| Low | Minor information leak, non-critical misconfig | 30 days |
NetMCP interacts with network traffic and external services. Follow these guidelines to use it securely:
- Run with least privilege: Use Linux capabilities (
CAP_NET_RAW) instead of running as root. - Keep dependencies updated: Regularly run
pip install --upgradefor all dependencies. - Secure your MCP client: Ensure your MCP client (Claude Desktop, Cursor, etc.) is configured with appropriate access controls.
- Review network data carefully: Captured network traffic may contain sensitive information. Handle pcap files and analysis results accordingly.
- Use trusted networks: Only capture traffic on networks you are authorized to monitor.
- Validate inputs: When using threat intelligence or scanning features, ensure targets are within your scope of authorization.
We thank the following individuals and organizations for responsibly reporting security issues:
This list will be updated as security researchers responsibly disclose vulnerabilities.
For security-related questions that do not involve a vulnerability report, open a Discussion or email the maintainers.
This security policy is adapted from the OpenSSF Best Practices for open source projects.