We take security seriously. If you discover a security vulnerability, please report it responsibly.
- β Open a public GitHub issue
- β Discuss the vulnerability publicly before it's fixed
- β Exploit the vulnerability
- Email us directly: hi@sylphx.com
- Include detailed information:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if you have one)
- Wait for our response - We aim to respond within 48 hours
- Report received - We acknowledge within 48 hours
- Investigation - We assess severity and impact (1-7 days)
- Fix development - We develop and test a fix
- Coordinated disclosure - We release the fix and publish security advisory
- Credit - We credit the reporter (if desired)
- We'll keep you informed throughout the process
- We'll coordinate disclosure timing with you
- We'll credit you in the security advisory (unless you prefer anonymity)
β All SylphxAI repositories
- MCP servers (pdf-reader-mcp, filesystem-mcp, rag-server-mcp)
- Libraries (craft, zen, silk)
- Tools and utilities
- Documentation sites
β Security Issues
- Authentication/authorization bypasses
- Code injection vulnerabilities
- Path traversal attacks
- Denial of service (DoS)
- Information disclosure
- Cryptographic weaknesses
- Dependency vulnerabilities
β Not Considered Security Issues
- Issues requiring physical access to user's machine
- Social engineering attacks
- Attacks requiring user to install malicious software
- Issues in third-party dependencies (report to the dependency maintainers)
- Theoretical vulnerabilities without proof of concept
When contributing code:
-
Never commit secrets
# β Don't do this API_KEY=sk-1234567890abcdef # β Do this API_KEY=${API_KEY} # Read from environment
-
Validate all inputs
// β Good function processFile(path: string) { if (!isValidPath(path)) { throw new Error('Invalid path'); } // ... }
-
Handle errors securely
// β Don't expose internals catch (error) { throw new Error(error.stack); } // β Safe error messages catch (error) { throw new Error('Failed to process file'); }
-
Use secure dependencies
# Check for vulnerabilities npm audit # Fix vulnerabilities npm audit fix
When using our tools:
-
Keep packages updated
npm update
-
Review permissions - Especially for MCP servers
-
Use environment variables - Never hardcode secrets
-
Enable security features - Use sandboxing when available
We provide security updates for:
| Package | Supported Versions |
|---|---|
| pdf-reader-mcp | Latest release only |
| filesystem-mcp | Latest release only |
| rag-server-mcp | Latest release only |
| craft | Latest major version |
| zen | Latest major version |
| silk | Latest release only |
Recommendation: Always use the latest version.
- β Sandboxed PDF processing
- β Input validation for file paths
- β Resource limits (file size, processing time)
- β No external network access during processing
- β Root directory confinement
- β Path traversal protection
- β Permission controls
- β No access outside allowed directories
- β Local-only processing (no cloud)
- β ChromaDB data isolation
- β No external API calls with user data
Important: MCP servers run with your local user permissions.
- Running servers from untrusted sources
- Granting filesystem access
- Processing untrusted files
- Connecting to remote MCP servers
β Best Practices:
{
"mcpServers": {
"filesystem": {
"command": "npx",
"args": ["-y", "@sylphx/filesystem-mcp"],
"env": {
"ALLOWED_DIRECTORIES": "/safe/path/only"
}
}
}
}We recognize and thank security researchers who responsibly disclose vulnerabilities:
(No reports yet)
Security Team: hi@sylphx.com
For non-security issues:
- GitHub Issues: Use repository issue tracker
- General Questions: hi@sylphx.com
- Twitter: @SylphxAI
This policy may be updated from time to time. Check back regularly for changes.
Last Updated: January 2025
Security is a shared responsibility
Thank you for helping keep Sylphx projects secure
sylphx.com β’
GitHub β’
hi@sylphx.com