Chronos MCP takes security seriously. This document outlines our current security posture and ongoing improvements.
As of v2.0.0, Chronos MCP uses system keyring for secure password storage:
- macOS: Keychain Access
- Windows: Windows Credential Locker
- Linux: Secret Service (GNOME Keyring, KWallet, etc.)
Passwords are no longer stored in plain text. For environments without keyring support (containers, SSH sessions), the system falls back to configuration file storage with clear warnings.
To migrate existing plain text passwords to secure storage:
python scripts/migrate_to_keyring.py- Issue: Enhanced input validation for CalDAV URLs and user inputs
- Impact: Potential for injection attacks or malformed requests
- Status: Basic validation implemented, comprehensive validation planned for v2.1.0
- Issue: No protection against rapid API calls
- Impact: Potential for resource exhaustion
- Mitigation: Planned for v2.1.0
Please report security vulnerabilities via:
- GitHub Security Advisories (preferred)
- Email: code-developer@democratize.technology (PGP key available on request)
Please do not report security issues through public GitHub issues.
- Implement keyring support for credential storage
- Implement secure credential migration tool
- Add basic input validation
- XSS and injection prevention
- Path traversal protection
- Enhanced input validation for all user inputs
- Add rate limiting
- Implement API authentication
- Add audit logging
- Credential Security: Use system keyring (automatic in v2.0.0+)
- File Permissions: Ensure
~/.chronos/has restrictive permissions - Network Security: Use HTTPS for CalDAV connections when possible
- Account Security: Use app-specific passwords where supported
- Regular Updates: Keep Chronos MCP updated for security patches
- Credential Management: System keyring integration with secure fallback
- Input Sanitization: Protection against XSS and injection attacks
- Error Handling: Sanitized error messages that don't leak sensitive information
- RFC Compliance: Validation follows CalDAV and iCalendar standards
We appreciate responsible disclosure of security vulnerabilities.