Security¶
Reporting Vulnerabilities¶
DO NOT open public issues for security vulnerabilities.
Use GitHub's Private Vulnerability Reporting feature:
- Go to the Security tab
- Click "Report a vulnerability"
- Fill out the advisory form with details
Expected response time: 48 hours
Security Measures¶
Automated Scanning¶
Mnemex uses multiple security scanning tools:
- Dependabot: Automated dependency updates
- pip-audit: Official PyPA vulnerability scanner
- Bandit: Python security linter
- CodeQL: Semantic code analysis
Scans run: - On every push/PR - Weekly scheduled scans (Mondays 10:00 UTC) - Manual workflow dispatch
Supply Chain Security¶
- Dependencies tracked with Dependabot
- Auto-merge for safe updates (patch/minor dev dependencies)
- All dependencies from trusted sources (PyPI)
Local-First Privacy¶
🔒 All data stored locally - no cloud services, no tracking, no data sharing.
- Short-term memory:
~/.config/mnemex/jsonl/(JSONL format) - Long-term memory: Your Obsidian vault (Markdown)
- Configuration:
~/.config/mnemex/.env
File Permissions¶
Sensitive files use restrictive permissions:
# Config files: rw------- (0o600)
os.chmod(config_file, 0o600)
# Storage directories: rwx------ (0o700)
os.chmod(storage_dir, 0o700)
Input Validation¶
All user inputs validated:
- Memory IDs checked for format
- File paths validated (no traversal)
- Tags/entities sanitized
- Content size limits enforced
Best Practices¶
Configuration Security¶
- Never commit
.envfiles to version control - Use restrictive permissions on config files
- Review configuration before sharing
Storage Security¶
- Regular backups - Git integration available
- Encrypt disk for additional protection
- Review stored data periodically
Integration Security¶
- MCP server runs locally (no network access)
- Claude Desktop controls access to tools
- No external API calls without explicit config
Security Roadmap¶
Ongoing improvements tracked in Issue #6:
- SBOM (Software Bill of Materials) generation
- Dependency pinning with hashes
- Runtime security audits
- Additional input validation
- Path traversal prevention hardening
Disclosure Policy¶
When you report a vulnerability:
- Acknowledgment: Within 48 hours
- Assessment: Within 7 days
- Fix timeline: Depends on severity
- Critical: 24-48 hours
- High: 7 days
- Medium: 30 days
- Low: Next release
- Coordinated disclosure: Work with reporter on timing
Security Contact¶
Use GitHub's private reporting feature (link above).
Security Updates¶
Subscribe to: - GitHub Security Advisories - Release notifications
License¶
Security practices follow OWASP guidelines and OSSF best practices.
See also: - SECURITY.md (main policy) - Contributing guidelines