Security Policy
July 3, 2026 · View on GitHub
Reporting a Vulnerability
If you discover a security vulnerability in the Social Neuron MCP Server, please report it responsibly.
Email: security@socialneuron.com
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
Response timeline:
- Acknowledgment within 48 hours
- Initial assessment within 5 business days
- Fix timeline communicated within 10 business days
Scope
This policy covers:
@socialneuron/mcp-servernpm package- Social Neuron Edge Functions
- Social Neuron API endpoints
Out of Scope
- Third-party dependencies (report to upstream maintainers)
- Social engineering attacks
- DoS/DDoS attacks
Supported Versions
| Version | Supported |
|---|---|
| 1.7.x | Yes |
| < 1.7 | No |
Credential Safety
This npm package contains no service role keys or admin credentials.
- The
SUPABASE_SERVICE_ROLE_KEYis never hardcoded — it is only read from environment variables at runtime, and only in legacy self-hosted mode. - The embedded
CLOUD_SUPABASE_URLandCLOUD_SUPABASE_ANON_KEYare intentionally public — they are the same values shipped in the frontend bundle. The anon key JWT decodes to"role": "anon", and all data access is gated by Row Level Security (RLS). - API keys are stored in the OS keychain (macOS Keychain / Linux
secret-tool) or achmod 0600credentials file. They are never committed to source control. - The
npm packoutput is restricted todist/,README.md,CHANGELOG.md, andLICENSEvia both.npmignoreandpackage.json filesfield.
Security Best Practices
- Always use API key authentication (not service-role keys)
- Rotate API keys every 90 days
- Use minimum required scopes (
mcp:readfor read-only access) - Set
daily_credit_capto prevent runaway costs - Keep the package updated to the latest version
- Set
DO_NOT_TRACK=1to disable telemetry if desired
Scanner False Positives
Security scanners (TruffleHog, Gitleaks, etc.) may flag the embedded Supabase anon key in src/lib/supabase.ts. This is not a vulnerability:
- The anon key is intentionally public — it's the same value shipped in the frontend JavaScript bundle
- The JWT payload decodes to
"role": "anon"— it has no elevated privileges - All data access is gated by Row Level Security (RLS) policies
- The
SUPABASE_SERVICE_ROLE_KEYis never embedded in this package
The .gitleaks.toml configuration allowlists this file to suppress false positives.
Rate Limiting
- Edge Function endpoints enforce per-IP rate limits (60 requests/minute)
- API keys are hashed (SHA-256) before storage and comparison
- Key cache entries expire after 10 seconds to limit revocation exposure window