diff --git a/README.md b/README.md index b37e923cf..bd1e769d3 100644 --- a/README.md +++ b/README.md @@ -697,3 +697,11 @@ The exported Go API of this module should currently be considered unstable, and ## License This project is licensed under the terms of the MIT open source license. Please refer to [MIT](./LICENSE) for the full terms. + +## Security and Versioning + +For supported versions, security policies, and disclosure process, see [SECURITY.md](./SECURITY.md). The minimum Go version and critical dependency versions are tracked in go.mod; see SECURITY.md for guidance and example commands to verify versions locally. The published container image is ghcr.io/github/github-mcp-server; for production use, pin image tags or digests. + +### Model Providers + +This server does not call any model providers. It exposes GitHub tools over MCP to a host which may use models independently (e.g., VS Code Copilot Chat, Claude Desktop). See [SECURITY.md](./SECURITY.md) for details. diff --git a/SECURITY.md b/SECURITY.md index 67a9cbf2c..a5a784fde 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -29,3 +29,33 @@ This information will help us triage your report more quickly. ## Policy See [GitHub's Safe Harbor Policy](https://docs.github.com/en/site-policy/security-policies/github-bug-bounty-program-legal-safe-harbor#1-safe-harbor-terms) + +## Supported Versions and Update Policy + +- Unless otherwise stated in a repository’s README or SECURITY.md, GitHub maintains security fixes on a best-effort basis for the latest published release and any current container image tags. Older releases may not receive patches. +- Where applicable, supported distribution formats and architectures are documented in the repository (for example, downloadable binaries, source archives, or container images on GitHub Container Registry). In production, pin to a specific version tag or image digest. + +## Security-Relevant Versions + +For each GitHub-owned repository, consult the repository for authoritative version information: +- Toolchain and minimum versions: check language/tool manifests (for example, go.mod for Go, package.json for JavaScript, pyproject.toml for Python). +- Dependency versions: review the repository’s dependency manifest and any third-party license or SBOM files (for example, THIRD_PARTY_NOTICES or third-party-licenses.*). +- Container images (if published): use the repository’s Releases page or container registry page for available tags; in CI/production, prefer pinning by immutable digests. + +Examples (adjust to the repository’s language/tooling): +- List the declared Go version: `grep '^go ' go.mod` +- List pinned Go modules: `go list -m -mod=mod all | sort` +- Inspect a container image: `docker pull /:` and `docker inspect /:` + +## Model Providers Used by This Project + +Unless explicitly documented in the repository, GitHub-owned open source projects do not embed or directly call proprietary AI/LLM model providers. Any AI/model usage typically occurs in downstream tools or hosts that integrate with the project and is outside the scope of the repository itself. If a project integrates with a model provider, the repository will document the provider(s), configuration, and data flow. + +## Keeping This Document Up To Date + +For maintainers, when cutting a new release: +- Review and update any Supported Versions statements in the repository. +- Confirm minimum toolchain versions from the project’s manifest. +- Review major versions of security-relevant dependencies. +- Verify published container image tags/digests (if applicable). +- Ensure links in this document remain valid.