We release patches for security vulnerabilities. Currently supported versions:

The UniProt MCP team takes security bugs seriously. We appreciate your efforts to responsibly disclose your findings.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via email to:

📧 [email protected]

Please include the following information:

• Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

• Acknowledgment: We will acknowledge your email within 48 hours
• Investigation: We will investigate and validate the issue within 7 days
• Updates: We will keep you informed about our progress
• Resolution: We will work on a fix and coordinate the disclosure timeline with you

1. Patch Development: Security patches are developed privately
2. Testing: Patches are thoroughly tested before release
3. Coordinated Disclosure: We coordinate with you on disclosure timing
4. Release: Security updates are released as patch versions
5. Advisory: We publish a security advisory on GitHub

When using UniProt MCP Server:

• Run the server with minimal privileges
• Avoid exposing stdio servers to untrusted networks
• Validate all input from LLM agents

• Use HTTPS in production (reverse proxy with TLS)
• Configure CORS appropriately (avoid wildcards in production)
• Implement rate limiting at the reverse proxy level
• Use authentication tokens for sensitive deployments
• Monitor logs for suspicious activity
• Keep dependencies up to date (uv sync --upgrade)

• Never commit API tokens to version control
• Use environment variables for sensitive configuration
• Rotate tokens regularly
• Use least-privilege access principles

• We use uv.lock to pin all dependencies
• We monitor dependencies for known vulnerabilities
• Security updates are released promptly

The following environment variables affect security:

# Limit concurrent requests (prevents resource exhaustion)
UNIPROT_MAX_CONCURRENCY=8

# Configure CORS (restrict in production)
MCP_CORS_ALLOW_ORIGINS=https://your-domain.com
MCP_CORS_ALLOW_METHODS=GET,POST
MCP_CORS_ALLOW_HEADERS=Content-Type,Authorization

# Enable structured logging for audit trails
UNIPROT_LOG_FORMAT=json
UNIPROT_LOG_LEVEL=info

Consider implementing rate limiting at your deployment layer:

# Example: Using nginx
limit_req_zone $binary_remote_addr zone=mcp:10m rate=10r/s;

• UniProt MCP fetches data from UniProt's public API
• No user data is stored by this server
• All UniProt data is subject to UniProt's terms of use

• The server makes outbound HTTPS requests to UniProt API
• No inbound connections except for the HTTP transport endpoint
• All UniProt API communications use TLS

• All tool inputs are validated using Pydantic models
• UniProt API responses are defensively parsed
• Malformed responses do not crash the server

We follow coordinated vulnerability disclosure:

1. Security researchers privately report vulnerabilities
2. We work with researchers to validate and patch issues
3. We coordinate public disclosure timing
4. We credit researchers who report issues (unless they prefer anonymity)

We recognize security researchers who help us keep UniProt MCP Server secure:

No reported vulnerabilities yet.

• Last security review: October 2025
• No formal security audit has been conducted yet
• Community security reviews are welcome

For security concerns: [email protected]
For general issues: GitHub Issues

Thank you for helping keep UniProt MCP Server and its users safe!