Security

SEC EDGAR MCP follows OWASP Tallinn Secure Software Practices to ensure the security and integrity of the project. This page outlines our security practices, vulnerability reporting process, and guidelines for secure usage.

Security Practices

SEC EDGAR MCP is designed with security as a core principle, following industry best practices for open-source software development.

Code Security

No Secrets in Code

Never commit API keys, tokens, or credentials
All sensitive data must be passed via environment variables
.gitignore includes common secret file patterns
Pre-commit hooks check for potential secrets

# Good: Using environment variables
export SEC_EDGAR_USER_AGENT="Your Name (your.email@domain.com)"

# Bad: Hardcoding in source
USER_AGENT = "Your Name (your.email@domain.com)"  # Never do this

Dependency Management

All dependencies are pinned to specific versions
Regular security audits using pip audit
Automated dependency updates via Dependabot
Lock files (uv.lock) ensure reproducible builds

# pyproject.toml - Pinned dependencies
dependencies = [
    "mcp[cli]>=1.7.1",
    "secedgar==0.6.0a0",
    "beautifulsoup4>=4.12.0",
    "requests>=2.31.0"
]

Input Validation

All user inputs are validated and sanitized:

CIK format validation (10 digits)
URL validation for filing access
Parameter type checking
Size limits on responses

# Example validation
def validate_cik(cik: str) -> str:
    if not cik.isdigit() or len(cik) != 10:
        raise ValueError("CIK must be 10 digits")
    return cik

Secure Communication

Development Security

Code Review Required

All changes must be reviewed before merging:

Pull request reviews by maintainers
Automated security checks via GitHub Actions
No direct commits to main branch

Signed Commits Encouraged

We encourage GPG-signed commits:

# Configure git for signing
git config --global user.signingkey YOUR_KEY_ID
git config --global commit.gpgsign true

Security Testing

Regular security testing includes:

Static analysis with bandit
Dependency vulnerability scanning
Container image scanning (for Docker)

Vulnerability Reporting

Found a security vulnerability? Please report it responsibly to help us keep SEC EDGAR MCP secure for everyone.

Reporting Process

Do NOT create a public GitHub issue
Email security concerns to: security@[maintainer-domain].com
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)

What to Expect

Security Best Practices for Users

Environment Configuration

Run containers with minimal privileges:

# Good: Read-only container with dropped capabilities
docker run --read-only \
  --cap-drop ALL \
  --security-opt no-new-privileges \
  -e SEC_EDGAR_USER_AGENT="Your Name (your.email@domain.com)" \
  stefanoamorelli/sec-edgar-mcp:latest

# Limit resources
docker run --memory="512m" --cpus="1" \
  -e SEC_EDGAR_USER_AGENT="Your Name (your.email@domain.com)" \
  stefanoamorelli/sec-edgar-mcp:latest

Data Handling

Secure Usage Guidelines

API Key Management

If extending SEC EDGAR MCP:

# Good: Environment variables
import os
api_key = os.environ.get("MY_API_KEY")
if not api_key:
    raise ValueError("MY_API_KEY not set")

# Bad: Hardcoded keys
api_key = "sk-1234567890abcdef"  # Never do this

# Good: Secure key storage
from keyring import get_password
api_key = get_password("sec-edgar-mcp", "api_key")

Rate Limiting

Respect SEC EDGAR rate limits:

Maximum 10 requests per second
Use built-in rate limiting
Implement exponential backoff
Cache responses when possible

# Built-in rate limiting
from time import sleep
sleep(0.1)  # 100ms between requests

Error Handling

Handle errors securely:

try:
    result = await mcp.call_tool("get_filing", {...})
except Exception as e:
    # Log safely without exposing sensitive data
    logger.error(f"Filing retrieval failed: {type(e).__name__}")
    # Don't log full error with potential secrets

Compliance and Privacy

SEC EDGAR MCP:

Processes only publicly available SEC data
Does not collect personal user data
Does not track usage or analytics
Allows full data portability

SEC Terms of Use

Users must comply with SEC EDGAR terms:

Provide valid user agent
Respect rate limits
Use data appropriately
No excessive automated requests

Security Checklist

Before deploying SEC EDGAR MCP:

Reporting Security Issues

Security Contact

Report security vulnerabilities privately via email. We appreciate responsible disclosure and will credit researchers who help improve our security.

Security Updates

Stay informed about security updates:

GitHub Releases

Monitor releases for security patches

Security Advisories

Check security advisories

Dependencies

Track dependency updates

Created and maintained by Stefano Amorelli. Built together with the community.

Introduction

Setup

Usage

Tools

Use Cases

Community

Security Practices

Code Security

Development Security

Vulnerability Reporting

Reporting Process

What to Expect

Security Best Practices for Users

Environment Configuration

Data Handling

Secure Usage Guidelines

Compliance and Privacy

SEC Terms of Use

Security Checklist

Reporting Security Issues

Security Contact

Security Updates

GitHub Releases

Security Advisories

Dependencies

Introduction

Setup

Usage

Tools

Use Cases

Community

​Security Practices

​Code Security

​Development Security

​Vulnerability Reporting

​Reporting Process

​What to Expect

​Security Best Practices for Users

​Environment Configuration

​Data Handling

​Secure Usage Guidelines

​Compliance and Privacy

​GDPR Compliance

​SEC Terms of Use

​Security Checklist

​Reporting Security Issues

Security Contact

​Security Updates

GitHub Releases

Security Advisories

Dependencies

Security Practices

Code Security

Development Security

Vulnerability Reporting

Reporting Process

What to Expect

Security Best Practices for Users

Environment Configuration

Data Handling

Secure Usage Guidelines

Compliance and Privacy

GDPR Compliance

SEC Terms of Use

Security Checklist

Reporting Security Issues

Security Updates