If you discover a security vulnerability in Clarvia, please report it responsibly.

1. Do NOT open a public issue for security vulnerabilities
2. Email security concerns to the repository maintainers via GitHub's private vulnerability reporting
3. Go to Security Advisories and click "Report a vulnerability"

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 1 week
• Fix/Patch: Depends on severity (critical: ASAP, high: 1 week, medium: 2 weeks)

• All API endpoints use HTTPS
• Rate limiting is enforced
• No authentication required for read-only public data
• API keys required for write operations

• Clarvia indexes publicly available tool metadata only
• No user credentials or private data are stored
• Tool scores are computed from public signals

• The MCP server operates in read-only mode
• No filesystem access beyond its own configuration
• All external API calls use HTTPS
• No sensitive data is transmitted to third parties

• Dependencies are regularly updated
• npm audit and pip audit are run on CI
• Known vulnerabilities are patched promptly

The following are in scope for security reports:

• Clarvia API (clarvia-api.onrender.com)
• Clarvia MCP Server (npm: clarvia-mcp-server)
• Clarvia website (clarvia.art)
• GitHub repository code

Out of scope:

• Third-party services we integrate with
• Social engineering attacks
• Denial of service attacks