Thank you for helping keep Seq MCP Server and its users safe. We take security vulnerabilities seriously and appreciate responsible disclosure.
| Version | Supported |
|---|---|
| 1.1.x | ✅ |
| < 1.1 | ❌ |
Only the latest released version receives security updates. If you are using an older version, please upgrade before reporting.
Please do NOT report security vulnerabilities through public issues, discussions, or pull requests.
Instead, use GitHub Security Advisories to report vulnerabilities privately.
This ensures the issue is handled confidentially and a fix can be prepared before public disclosure.
To help us understand and resolve the issue quickly, please include as much of the following as possible:
- A clear description of the vulnerability
- Step-by-step instructions to reproduce the issue
- The potential impact (e.g., data exposure, denial of service)
- The affected version(s) of Seq MCP Server
- The affected source code location (file, function, or module)
- Any special configuration required to reproduce the issue
- A suggested fix or mitigation (optional, but appreciated)
| Stage | Target Time |
|---|---|
| Acknowledgement | Within 48 hours |
| Assessment | Within 14 days |
| Fix | Within 90 days |
We will keep you informed of our progress throughout the process.
- The SeqMcpServer codebase and its published artifacts (NuGet package, GitHub releases)
The following are maintained by other organizations and should be reported to them directly:
- Seq server — report to Datalust
- MCP protocol — report to the Model Context Protocol project
- .NET runtime — report to Microsoft
We follow a coordinated disclosure model:
- The reporter submits a vulnerability through GitHub Security Advisories.
- We acknowledge receipt, investigate, and work on a fix within the timelines above.
- Once a fix is available, we publish a GitHub Security Advisory with a CVE identifier.
- The reporter receives credit in the advisory and release notes (unless they prefer to remain anonymous).
- If no fix is released within 90 days, the reporter may disclose the vulnerability publicly.
We consider security research conducted in good faith to be authorized and welcome it. We will not pursue legal action against researchers who:
- Act in good faith to avoid harm to users and the project
- Report vulnerabilities through the designated channel described above
- Avoid accessing or modifying other users' data
- Do not exploit vulnerabilities beyond the minimum necessary to demonstrate the issue
- Follow the coordinated disclosure model outlined in this policy
If you are unsure whether your research complies with this policy, please reach out through a GitHub Security Advisory before proceeding.