Security is critical for Pointbreak. As a debugging tool that accesses your IDE and code, security is taken seriously, and the security community's help in keeping Pointbreak safe is appreciated.
| Version | Supported |
|---|---|
| 0.x.x | β |
Note: Pointbreak is currently in beta (0.x.x versions). Please update to the latest version before reporting issues.
π¨ DO NOT open public GitHub issues for security vulnerabilities.
Public disclosure of security issues puts all users at risk. Instead:
Email: security@withpointbreak.com
Subject line: "Security Vulnerability in Pointbreak"
Please provide:
- Description - What's the vulnerability?
- Impact - What can an attacker do?
- Steps to Reproduce - How did you find it?
- Affected Versions - Which versions are vulnerable?
- Suggested Fix - (Optional) How might we fix it?
- Your Details - Name/handle for credit (optional)
Example Report:
Subject: Security Vulnerability in Pointbreak
Description:
Pointbreak MCP server accepts unauthenticated connections allowing
arbitrary debug commands from any process on the system.
Impact:
Local attacker could connect to MCP server and control debug sessions,
potentially executing code in the context of the debugged process.
Steps to Reproduce:
1. Start Pointbreak MCP server
2. From separate process, connect to MCP socket
3. Send arbitrary debug commands
4. Commands execute without authentication
Affected Versions: 0.1.0 - 0.2.5
Suggested Fix:
Add authentication token requirement for MCP connections
Contact: @security_researcher (prefer anonymous credit)
Security reports are treated seriously and will responded to promptly:
- Within 48 hours: Acknowledge your report
- Within 1 week: Provide initial assessment and timeline
- Within 30 days: Release fix or provide detailed plan
- After fix: Public disclosure (coordinated with you)
- Acknowledge - Confirm we received your report
- Investigate - Assess severity and impact
- Develop Fix - Create and test a patch
- Release - Deploy fix in new version
- Disclose - Publish security advisory
- Credit - Thank you publicly (if you want)
Vulnerabilities are assessed using these levels:
- Remote code execution
- Arbitrary file read/write outside project
- Authentication bypass in paid features
- Data exfiltration of code/credentials
Response goal: Patch within 7 days
- Local privilege escalation
- Unauthorized debug session access
- MCP protocol bypass
- IDE crash or data loss
Response goal: Patch within 14 days
- Information disclosure (non-sensitive)
- Denial of service (local)
- Debug session hijacking
Response goal: Patch within 30 days
- UI spoofing
- Error message information leakage
- Minor security improvements
Response goal: Patch in next release
IN SCOPE: β
- Code execution vulnerabilities
- RCE via MCP protocol
- Arbitrary code in debug context
- Authentication/Authorization issues
- Bypassing session controls
- Unauthorized debug access
- Data exposure
- Leaking code or credentials
- Exposing debug session data
- Injection attacks
- Command injection
- Path traversal
- MCP protocol vulnerabilities
- Protocol bypass
- Unauthenticated access
- IDE integration exploits
- Escaping sandbox
- Cross-session attacks
OUT OF SCOPE: β
- Social engineering (not a technical bug)
- Physical access attacks (requires local access)
- Denial of service (user can just restart)
- Issues in third-party services (report to them)
- Known issues in dependencies (we'll upgrade)
- Theoretical vulnerabilities (no working exploit)
- Beta software bugs (use GitHub issues)
When in doubt, report it! It's better to evaluate a non-issue than miss a real vulnerability.
We consider security research conducted according to this policy to be:
- β Authorized under the Computer Fraud and Abuse Act
- β Exempt from DMCA anti-circumvention provisions
- β Lawful and conducted in good faith
We will not pursue legal action against security researchers who:
- Follow this responsible disclosure policy
- Don't access user data beyond what's needed to demonstrate the vulnerability
- Don't intentionally harm users or our systems
- Don't publicly disclose before we've patched
- Act in good faith
Please:
- β Give us reasonable time to fix before public disclosure
- β Don't access user data beyond proof-of-concept
- β Don't harm users or our services
- β Don't use vulnerabilities maliciously
- β Follow responsible disclosure practices
Don't:
- β Publicly disclose before it's patched
- β Access other users' debug sessions or data
- β Perform denial of service attacks
- β Demand payment (no bounties currently)
- β Violate laws in your research
We believe in recognizing security researchers:
Currently:
- π Public recognition
- ποΈ Listed in Security Hall of Fame
- π’ Mention in release notes
- π Eternal gratitude
Future (potentially):
- π° Bug bounties
- π Free premium subscriptions
- π Swag and merchandise
- β Keep Pointbreak updated to the latest version
- β Only install from official sources (npm, VS Code marketplace)
- β Review MCP server permissions
- β Don't share debug sessions with untrusted parties
- β Be careful debugging untrusted code
- β Use security features in your IDE
- β Audit Pointbreak before deploying internally
- β Monitor for security updates
- β Restrict MCP server network access
- β Follow your organization's security policies
- β Consider security implications of AI assistant access
Current protections:
- π MCP server runs locally (not exposed to internet)
- π No remote code execution by default
- π Respects IDE security boundaries
- π No persistent storage of debug data
- π Minimal telemetry (opt-in only)
Planned protections:
- π MCP connection authentication
- π Signed releases (code signing)
- π Integrity verification
- π Session isolation
- π Audit logging
Subscribe to security updates:
- π§ Email: security-announce@withpointbreak.com (coming soon)
- π° GitHub: Watch releases for security tags
- π¦ Twitter: @withpointbreak (security announcements)
- π Blog: https://withpointbreak.com/blog
Security advisories will be posted at:
- GitHub Security Advisories
- Release notes (for each patched version)
- Our blog (for major issues)
For security issues:
- π§ security@withpointbreak.com
- π PGP Key: (coming soon)
For other concerns:
- General: legal@withpointbreak.com
- Privacy: privacy@withpointbreak.com
- Support: https://github.com/withpointbreak/pointbreak/issues
- Privacy Policy: https://withpointbreak.com/privacy
- Terms of Service: https://withpointbreak.com/terms
- Documentation: https://github.com/withpointbreak/pointbreak
- Report Non-Security Bugs: https://github.com/withpointbreak/pointbreak/issues
Found a security issue?
- βοΈ Email: security@withpointbreak.com
- π€ Don't post publicly
- π Include detailed reproduction steps
- β±οΈ We'll respond within 48 hours
- π We'll credit you (if you want)
Thank you for helping keep Pointbreak secure!
Last Updated: November 3, 2025
This security policy is inspired by industry best practices from GitHub, HackerOne, and the security community.