DollhouseMCP takes the security of our software and our users seriously. We've built security into every layer of our architecture, from input validation to secure update mechanisms. This document outlines our security policies, how to report vulnerabilities, and what you can expect from us.
If you discover a security vulnerability in DollhouseMCP, please help us address it responsibly:
- DO NOT create a public GitHub issue
- DO NOT disclose the vulnerability publicly until we've had time to address it
- DO use one of these secure channels:
- Open a Private Security Advisory on GitHub
- Email us at: security@dollhousemcp.com (coming soon)
Please provide as much information as possible:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if you have one)
- Your contact information (for follow-up)
Important: DollhouseMCP is an open-source project maintained by a single developer in their spare time.
- No guaranteed response times - I will respond when I'm able to
- No obligation to fix issues - I will make best efforts to address security issues, but cannot guarantee fixes
- No SLA or support commitments - This is free software provided as-is
- Response times vary - Depending on my availability, work schedule, and other life commitments
- Critical security issues: I'll try to look at these as soon as I become aware of them
- Other issues: Will be addressed when time permits
- Patches and fixes: Provided on a best-effort basis with no guaranteed timeline
- Communication: I'll try to acknowledge reports when I can, but please be patient
This is a personal project I maintain because I believe in it, not a commercial product with support obligations.
If you'd like to contribute to improving DollhouseMCP's security response:
- Submit PRs: Security fixes with tests are always welcome
- Volunteer Time: If you have security expertise and want to help review/fix issues, please reach out
- Sponsor Development: Donations help me allocate more time to the project
- Join as Maintainer: I'm open to bringing on trusted contributors to help with security responses
Contact me if you're interested in helping make DollhouseMCP more secure and sustainable.
We provide security updates for the following versions:
| Version | Support Status | Security Updates |
|---|---|---|
| 1.9.x | β Current | All security updates |
| 1.8.x | Critical security only | |
| 1.7.x | Critical security only | |
| < 1.7.0 | β End of Life | No updates |
We implement multiple layers of security:
- Input Validation: All user inputs are validated and sanitized
- Output Encoding: Protection against XSS and injection attacks
- Path Traversal Prevention: File system access is strictly controlled
- Rate Limiting: API and operation limits prevent abuse
- Secure Dependencies: Regular updates and vulnerability scanning
- No Credential Storage: Tokens and secrets are never persisted
- Automatic Redaction: Sensitive data is scrubbed from all logs
- Minimal Data Collection: We only collect what's necessary
- Local-First Architecture: Your data stays on your machine
We actively prevent malicious content:
- Pattern Detection: Known attack vectors are blocked
- Secret Scanning: Prevents accidental credential exposure
- YAML Injection Protection: Safe parsing with strict schemas
- Command Injection Prevention: No direct shell execution
- URL Validation: Prevents SSRF and malicious redirects
- Signature Verification: Updates are cryptographically signed
- Integrity Checks: File hashes verify authenticity
- Rollback Protection: Safe recovery from failed updates
- Version Validation: Prevents downgrade attacks
The following are considered valid security issues:
- Remote code execution
- Injection vulnerabilities (SQL, NoSQL, Command, LDAP, etc.)
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Authentication/authorization bypasses
- Information disclosure
- Denial of service vulnerabilities
- Path traversal/Local file inclusion
- Unsafe deserialization
- Security misconfigurations
The following are generally not considered security issues:
- Attacks requiring physical access to a user's device
- Social engineering attacks
- Denial of service from external dependencies
- Issues in third-party services we integrate with
- Theoretical vulnerabilities without proof of concept
- Scanner reports without demonstration of impact
We appreciate the security research community's efforts in helping keep DollhouseMCP safe. Security researchers who report valid vulnerabilities will be:
- Acknowledged in our release notes (unless you prefer to remain anonymous)
- Listed in our Security Hall of Fame
- Eligible for our bug bounty program (coming soon)
For maximum security, we recommend:
- Keep Updated: Always use the latest version
- Review Elements: Audit community elements before activation
- Limit Permissions: Run with minimum necessary privileges
- Monitor Activity: Review logs for suspicious behavior
- Report Issues: Help us by reporting suspicious content
As a solo-maintained project, the disclosure process is straightforward:
- Report Receipt: I'll acknowledge when I see it (no guaranteed timeline)
- Assessment: I'll evaluate the issue when I have time
- Fix Development: If I agree it's a security issue and have time, I'll work on a fix
- Release: When a fix is ready, I'll release it with appropriate notes
- Public Disclosure: Security advisories will be published when appropriate
Please note:
- I appreciate responsible disclosure and will do my best to coordinate with reporters
- However, I cannot guarantee specific timelines or commit to embargo periods
- If you need a fix urgently, you're welcome to submit a pull request
- Security Issues: Use GitHub Security Advisories or security@dollhousemcp.com (coming soon)
- General Questions: GitHub Discussions
- Bug Reports: GitHub Issues
For technical details about our security architecture and implementations:
Last Updated: September 19, 2025 Version: 1.0
Thank you for helping keep DollhouseMCP secure! π