We actively maintain and provide security updates for the following versions:
| Version | Supported | Status |
|---|---|---|
| 1.0.x | β Yes | Active |
| < 1.0 | β No | Deprecated |
Please do not report security vulnerabilities through public GitHub issues.
Send security issues directly to: security@leadmagic.io
Include the following information:
- π Description of the vulnerability
- π Steps to reproduce the issue
- π Impact assessment (who/what is affected)
- π οΈ Suggested fix (if you have one)
- π Related files/code sections
- π§ Your contact information
- 24 hours: Initial acknowledgment
- 72 hours: Initial assessment and severity classification
- 7 days: Detailed response with remediation plan
- 30 days: Target resolution for high/critical issues
We appreciate responsible disclosure and will:
- π Credit you in our security advisories (if desired)
- π Provide LeadMagic credits for valid vulnerabilities
- π Recognition in our hall of fame
β Do:
- Store API keys in environment variables
- Use
.envfiles for local development (never commit them) - Rotate API keys regularly
- Use separate keys for different environments
- Monitor API key usage in your dashboard
β Don't:
- Hardcode API keys in source code
- Share API keys in chat/email
- Commit
.envfiles to version control - Use production keys in development
- Log API keys in application logs
β Recommended:
- Use HTTPS for all API communications
- Implement request timeout limits
- Use firewall rules to restrict outbound connections
- Monitor API usage and rate limits
- Implement proper error handling to avoid information leakage
β MCP Client Security:
- Never expose API keys to client-side code
- Run MCP server in secure environments only
- Use least-privilege access principles
- Regularly update MCP client applications
- Monitor MCP server logs for suspicious activity
β Secure Configuration:
# β
Good - Environment variable
export LEADMAGIC_API_KEY="your-secure-api-key"
# β
Good - .env file (not committed)
LEADMAGIC_API_KEY=your-secure-api-key
# β Bad - Hardcoded in code
const apiKey = "lm_1234567890abcdef"; // NEVER DO THISInput Validation:
- All inputs validated with Zod schemas
- Type-safe TypeScript implementation
- Sanitized error messages
- Request size limits
Network Security:
- HTTPS-only API communication
- Configurable timeout settings
- Automatic retry with exponential backoff
- User-agent identification
Error Handling:
- No sensitive data in error messages
- Sanitized stack traces
- Proper HTTP status codes
- Logged security events
Data Handling:
- No persistent storage of sensitive data
- Minimal data retention
- Secure API communication
- GDPR compliance considerations
Privacy:
- No personal data logging
- Configurable debug levels
- Optional request/response logging
- Data minimization principles
Risk: API keys in environment variables can be accessed by any process Mitigation:
- Use secure environment variable management
- Restrict process access permissions
- Monitor environment variable access
Risk: API requests could be intercepted Mitigation:
- Always use HTTPS (enforced by default)
- Implement certificate pinning if needed
- Use VPN for sensitive environments
Risk: API abuse or DoS attacks Mitigation:
- Built-in rate limiting respect
- Configurable timeout settings
- Monitor API usage patterns
- API keys stored securely (environment variables)
- No sensitive data in logs
- Input validation implemented
- Error handling doesn't leak information
- Dependencies regularly updated
- Security tests included
- Secure environment configuration
- Network access properly restricted
- Monitoring and alerting configured
- Regular security updates applied
- Access logs monitored
- Backup and recovery plans tested
- API keys rotated regularly
- Usage monitored in dashboard
- Secure development environment
- Latest version installed
- Security advisories subscribed
- π Stop: Don't continue using potentially compromised systems
- π Secure: Rotate API keys immediately
- π§ Report: Contact security@leadmagic.io
- π Document: Save logs and evidence
- β° Monitor: Watch for unusual activity
- π§ Acknowledgment: We'll confirm receipt within 24 hours
- π Investigation: Assess impact and scope
- π οΈ Mitigation: Implement immediate fixes
- π’ Communication: Update affected users
- π Post-mortem: Document lessons learned
- π¨ Security Issues: security@leadmagic.io
- π¬ General Support: support@leadmagic.io
- π¬ Community: Discord
This security policy is reviewed and updated regularly. Check back for the latest security guidance and best practices.
Last Updated: June 27, 2025 Version: 1.0.0
π‘οΈ Security is a shared responsibility. Thank you for helping keep LeadMagic MCP Server secure!