We currently provide security updates for the following versions of ClickUp MCP Server:

We take the security of the ClickUp MCP Server seriously, especially since it handles API keys and sensitive task data. If you discover a security vulnerability, please follow these steps:

1. Do NOT disclose the vulnerability publicly until it has been addressed by the maintainers.
2. Send details of the vulnerability to the project maintainer directly at create a private security report.
3. Include as much information as possible, such as:
   • A clear description of the vulnerability
   • Steps to reproduce the issue
   • Potential impact of the vulnerability
   • Suggested fix if you have one

• You will receive an initial response to your report within 48 hours.
• We will keep you updated on our progress in addressing the vulnerability.
• Once the vulnerability is fixed, we may ask you to verify the solution.

When using ClickUp MCP Server, please follow these security best practices:

1. Never commit your ClickUp API keys to version control. Always use environment variables or secure configuration management.
2. Keep your npm dependencies up to date.
3. Run the server in an isolated environment when possible.
4. Regularly check for updates to the ClickUp MCP Server to ensure you have the latest security patches.

This security policy may be updated from time to time. Please check back regularly for any changes.

We appreciate the responsible disclosure of security vulnerabilities and will acknowledge your contribution once the issue is resolved, unless you prefer to remain anonymous.