register-mcp is pre-1.0; only the latest main and the most recent tagged
release receive security fixes.
| Version | Supported |
|---|---|
main |
β |
0.1.x |
β |
< 0.1 |
β |
Please report security issues privately, not via public GitHub issues.
- Open a GitHub Security Advisory β preferred.
- Or email the maintainer (see the GitHub profile of @malkreide).
Include, if possible:
- A description of the issue and its impact
- Steps to reproduce or a proof-of-concept
- The affected version / commit SHA
- Any suggested mitigation
| Step | Target |
|---|---|
| Acknowledgement | within 5 working days |
| Triage & severity | within 10 working days |
| Fix or mitigation | best effort; critical issues are prioritised |
This repository ships an MCP server that reads from the public Zefix REST API. In-scope are:
- The Python package
register_mcp(server, middleware, logging) - The published Docker image
- CI workflows under
.github/workflows/
Out of scope:
- Zefix-side API behaviour or data quality (report to
zefix@bj.admin.ch) - Issues only reproducible in a fork with modified middleware / auth removed
- Findings in dependencies β please file with the upstream project; we patch via Dependabot weekly.
When deploying the SSE transport publicly, in addition to the built-in
MCP_API_KEY + rate limit:
- Put a real gateway (Cloudflare Access, Railway internal networking, API-Gateway) in front of the container.
- Restrict egress to
www.zefix.admin.ch:443at the network layer. - Rotate
MCP_API_KEYon a schedule and on personnel changes. - Forward the JSON logs to a SIEM and alert on sustained
auth_failedorrate_limitedevents.