If you discover a security vulnerability in Iris, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please email: security@iris-eval.com
You will receive an acknowledgment within 48 hours and a detailed response within 5 business days.
This security policy applies to:
- The Iris MCP server (
@iris-eval/mcp-server) - The Iris web dashboard
- The Iris website (
iris-eval.com)
| Version | Supported |
|---|---|
| 0.1.x | Yes |
- Remote code execution
- PII/data exposure in eval outputs
- Injection attacks through MCP tool inputs
- Authentication or authorization bypasses in the dashboard
- Denial of service affecting the MCP server
- Supply chain vulnerabilities in dependencies
- Self-hosted deployment misconfigurations
- Rate limiting on self-hosted instances (user responsibility)
- Vulnerabilities in third-party MCP clients
We follow coordinated disclosure. We will:
- Acknowledge receipt within 48 hours
- Confirm the vulnerability and determine its impact
- Develop and test a fix
- Release the fix and publish an advisory
- Credit the reporter (unless they prefer anonymity)
We ask that you:
- Allow us reasonable time to address the issue before public disclosure
- Make a good-faith effort to avoid privacy violations and data destruction
- Do not exploit the vulnerability beyond what is necessary to demonstrate it
- Run Iris behind a reverse proxy with TLS
- Restrict dashboard access to trusted networks
- Keep Iris updated to the latest version
- Review eval rule configurations for your specific compliance requirements