| Version | Supported |
|---|---|
| 0.x | ✅ |
If you discover a security vulnerability in the Gitopia MCP Server, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please email: security@gitopia.com
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgement: Within 48 hours of report
- Initial assessment: Within 5 business days
- Fix timeline: Depends on severity, typically within 30 days for critical issues
This server handles sensitive wallet mnemonics for signing Gitopia blockchain transactions. Please note:
- User-provided mnemonics via
GITOPIA_MNEMONICenv var are held only in process memory - When using the
filewallet backend (default for auto-generated wallets), a derived signing key is persisted to~/.mcp/gitopia/config/wallet.keywith restricted permissions (chmod 600). Never commit wallet.key files to version control - Use
env.exampleas a reference; never commit.envfiles with real credentials - In production, use a secrets manager or secure environment variable injection
- In Docker, the wallet file lives inside the mounted volume at
/home/mcp/.mcp/gitopia/config/ - The server validates message types before signing to prevent unauthorized transactions (only
/gitopia.gitopia.gitopia.*and/cosmos.group.v1.*are allowed)