The MCP Tools for Obsidian team takes security vulnerabilities seriously. If you discover a security issue, please report it by emailing [jacksteamdev+security@gmail.com].

Please do not report security vulnerabilities through public GitHub issues.

When reporting a vulnerability, please include:

• Description of the issue
• Steps to reproduce
• Potential impact
• Any suggested fixes (if you have them)

You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.

When we receive a security bug report, we will:

1. Confirm the problem and determine affected versions
2. Audit code to find any similar problems
3. Prepare fixes for all supported releases
4. Release new versions and notify users

MCP Tools for Obsidian uses several measures to ensure secure binary distribution:

1. SLSA Provenance: All binaries are built using GitHub Actions with SLSA Level 3 provenance attestation
2. Reproducible Builds: Our build process is deterministic and can be reproduced from source
3. Verification: Users can verify binary authenticity using:

   gh attestation verify --owner jacksteamdev <binary_path>

The MCP server operates with the following security principles:

1. Minimal Permissions:

   • Operates only in user space
   • Requires access only to:
     • Obsidian vault directory
     • Claude Desktop configuration
     • System logging directory

2. API Security:

   • All communication is encrypted
   • Input validation and sanitization

3. Data Privacy:

   • No telemetry collection
   • No external network calls except to Claude Desktop
   • All processing happens locally

We regularly monitor and update our dependencies for security vulnerabilities:

• Automated security scanning with GitHub Dependabot
• Regular dependency audits
• Prompt patching of known vulnerabilities

• Critical vulnerabilities: Patch within 24 hours
• High severity: Patch within 7 days
• Other vulnerabilities: Address in next release

We provide security updates for:

• Current major version: Full support
• Previous major version: Critical security fixes only

1. Binary Verification:

   • Always verify downloaded binaries using GitHub's attestation tools
   • Check release signatures and hashes
   • Download only from official GitHub releases

2. Configuration:

   • Use unique API keys
   • Regularly update to the latest version
   • Monitor plugin settings for unexpected changes

3. Monitoring:

   • Check logs for unusual activity
   • Review Claude Desktop configuration changes
   • Keep track of plugin updates

We would like to thank the following individuals and organizations for responsibly disclosing security issues:

• [To be added as vulnerabilities are reported and fixed]

This security policy is licensed under MIT License.