- Security Policy
We actively support security updates for the following versions of mcp-metricflow:
| Version | Supported |
|---|---|
| Latest | ✅ |
| < Latest | ❌ |
We recommend always using the latest version to ensure you have the most recent security updates.
We take security vulnerabilities seriously. If you discover a security vulnerability, please follow these steps:
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Instead, please report the vulnerability by:
- Email: Send details to datnguyen.it09@gmail.com
- Subject Line: Include "SECURITY VULNERABILITY - mcp-metricflow" in the subject
- GitHub Security Advisories: Use GitHub's private vulnerability reporting feature (preferred)
Please include as much information as possible:
- Type of vulnerability (e.g., authentication bypass, code injection, etc.)
- Step-by-step instructions to reproduce the issue
- Potential impact and attack scenarios
- Any suggested fixes or mitigations
- Your contact information for follow-up questions
We will acknowledge receipt of your vulnerability report within 48 hours and provide a more detailed response within 7 days indicating the next steps in handling your report.
When using mcp-metricflow, please follow these security best practices:
- Never commit API keys to version control
- Use environment variables for sensitive configuration
- Rotate API keys regularly
- Use strong, unique API keys for production environments
- Limit API key permissions to the minimum required scope
- Secure your
.envfiles and never commit them to version control - Use different API keys for development, staging, and production
- Implement proper access controls for your dbt projects and data warehouse
- Regularly audit your environment variables and remove unused keys
- Use HTTPS for all SSE server communications
- Implement proper firewall rules when exposing the SSE server
- Consider using a reverse proxy with additional security features
- Monitor server logs for suspicious activity
- Validate all inputs to MetricFlow commands
- Implement proper authentication for SSE mode when required
- Use least privilege principles for database connections
- Regular security audits of your dbt project permissions
- The SSE server can be run with or without authentication
- When
MCP_REQUIRE_AUTH=false, the server accepts all connections - API keys are transmitted in HTTP headers - ensure HTTPS is used
- The
/healthendpoint is always accessible without authentication
- Commands are executed with the permissions of the running user
- Database credentials are inherited from dbt profiles
- Query results may contain sensitive business data
- Regular dependency updates are performed to address security vulnerabilities
- We use
banditfor static security analysis - Pre-commit hooks help prevent common security issues
- Assessment: We evaluate the severity and impact of reported vulnerabilities
- Development: We develop and test fixes in private repositories
- Coordination: For significant vulnerabilities, we may coordinate with other projects
- Release: We release security updates as quickly as possible
- Disclosure: We publish security advisories after fixes are available
- Watch this repository to receive notifications about security updates
- Check releases regularly for security-related updates
- Subscribe to our security advisories through GitHub
We follow responsible disclosure practices:
- Coordination: We work with security researchers to understand and fix vulnerabilities
- Timeline: We aim to fix critical vulnerabilities within 30 days
- Credit: We provide appropriate credit to security researchers (with their permission)
- Transparency: We publish security advisories for significant vulnerabilities
We thank the following security researchers for their responsible disclosure:
No security vulnerabilities have been reported yet.
Thank you for helping keep mcp-metricflow and the community safe!