The following versions of the Google Ads MCP Server are currently supported with security updates:

We take the security of the Google Ads MCP Server seriously. If you discover a security vulnerability, please report it responsibly.

GitHub Issues (Preferred)

1. Go to the Issues page
2. Click "New Issue"
3. For sensitive security issues: Email john@anthril.com first, or use GitHub's private vulnerability reporting if available
4. For non-sensitive issues: Create a public issue with the "security" label

What to Include

Please include the following information in your report:

• Description: Clear description of the vulnerability
• Impact: What could an attacker accomplish?
• Reproduction Steps: Detailed steps to reproduce the issue
• Affected Versions: Which versions are affected?
• Suggested Fix: If you have ideas for how to fix it (optional)
• Environment: Python version, OS, Google Ads API version

Example Report Template:

## Vulnerability Description
[Brief description of the security issue]

## Impact
[What could happen if this is exploited?]

## Steps to Reproduce
1. [First step]
2. [Second step]
3. [Additional steps...]

## Affected Versions
- Version 1.0.0
- All versions prior to X.X.X

## Suggested Fix (Optional)
[Your suggestions for fixing the issue]

## Environment
- Python: 3.10
- OS: Windows 11
- Google Ads API: v17

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Fix Timeline: Depends on severity
  • Critical: 1-7 days
  • High: 7-14 days
  • Medium: 14-30 days
  • Low: 30-90 days

• Private Disclosure: Please give us reasonable time to fix the issue before public disclosure
• Credit: We will credit you in the security advisory (unless you prefer to remain anonymous)
• Public Advisory: Once fixed, we will publish a security advisory with details

NEVER commit credentials to version control

• Do NOT commit your developer_token, client_id, client_secret, or refresh_token
• Use environment variables for sensitive configuration
• Use .gitignore to exclude configuration files containing secrets
• Consider using a secrets manager (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault)

Example - Secure credential storage:

# Use environment variables
export GOOGLE_ADS_DEVELOPER_TOKEN="your-token"
export GOOGLE_ADS_CLIENT_ID="your-client-id"
export GOOGLE_ADS_CLIENT_SECRET="your-secret"
export GOOGLE_ADS_REFRESH_TOKEN="your-refresh-token"

Rotate tokens regularly

• Refresh tokens should be rotated periodically (every 90 days recommended)
• Use short-lived access tokens (handled automatically by the Google Ads API client)
• Revoke tokens that are no longer needed

Secure token storage:

• Store refresh tokens in encrypted storage
• Limit file permissions: chmod 600 config.yaml on Linux/macOS
• Never log refresh tokens or access tokens

For multi-account management:

• Use MCC accounts with appropriate access levels
• Follow the principle of least privilege
• Audit MCC access regularly
• Enable two-factor authentication (2FA) on Google Ads accounts

Prevent abuse and quota exhaustion:

• Implement rate limiting in your application
• Use the built-in caching mechanisms (Memory or Redis)
• Monitor API quota usage via Google Ads API reporting
• Implement exponential backoff for retries

Secure logging practices:

• Never log sensitive data (tokens, credentials, personal information)
• Use structured logging with appropriate log levels
• Implement log rotation to prevent disk exhaustion
• Monitor logs for suspicious activity
• Use the built-in logger with appropriate configurations:

logging:
  level: INFO  # Use INFO or WARNING in production (not DEBUG)
  format: json
  console: false
  file: /var/log/google-mcp/server.log

Secure communications:

• Always use HTTPS for API communications (enforced by Google Ads API)
• If exposing the MCP server over a network, use TLS/SSL
• Implement proper authentication and authorization
• Use firewall rules to restrict access

Prevent injection attacks:

• The server validates all GAQL queries using query_optimizer.py
• Customer IDs are validated to prevent injection
• User inputs are sanitized before being used in API calls
• Pydantic models enforce type safety

Keep dependencies up to date:

# Check for outdated packages
pip list --outdated

# Update packages
pip install --upgrade google-ads mcp httpx pydantic

# Audit for known vulnerabilities
pip-audit

Monitor security advisories:

• Subscribe to GitHub security advisories for this repository
• Monitor Google Ads API release notes
• Check Python security advisories

• OAuth 2.0 Flow: The server uses OAuth 2.0 for authentication
• Developer Token: Required for API access - protect like a password
• Refresh Token: Long-lived token that can generate access tokens - protect carefully

• Refresh tokens are stored in config.yaml or environment variables
• Risk: If compromised, an attacker can access your Google Ads accounts
• Mitigation: Use encrypted storage, restrict file permissions, rotate regularly

• Developer tokens are account-specific and grant API access
• Risk: Token misuse could lead to unauthorized API access
• Mitigation: Treat as a secret, never commit to version control, use environment variables

• MCC accounts can access multiple client accounts
• Risk: Compromise of MCC credentials affects all managed accounts
• Mitigation: Use strict access controls, audit regularly, enable 2FA

• Custom GAQL queries can access account data
• Risk: Malicious queries could extract sensitive information
• Mitigation: Query validation, input sanitization, access controls

Security updates will be announced via:

• GitHub Releases: All releases include security notes
• GitHub Security Advisories: Critical vulnerabilities
• CHANGELOG.md: Detailed change notes (when created)

# Update to the latest version
cd /path/to/google-mcp
git pull origin main
pip install -r requirements.txt --upgrade

# Restart the MCP server
# (restart Claude Desktop or your integration)

• Critical vulnerabilities: Immediate patch release
• High severity: Patch within 7 days
• Medium/Low severity: Included in next regular release

• Google Ads API Security Best Practices
• OAuth 2.0 Security Best Current Practice
• OWASP Top Ten
• Python Security Best Practices

For security-related questions or concerns:

• Security Issues: GitHub Issues (use "security" label)
• Email: open-source@weblifter.com.au
• General Support: See README.md

Last Updated: December 17, 2025

• Initial triage acknowledgement: within 3 business days.
• Status update after validation: within 7 business days.
• Remediation target for confirmed critical vulnerabilities: as soon as practicable, with an initial mitigation plan within 14 days.

Last updated: 2026-05-18T16:44:22.568Z

Raw report is stored in .virustotal/latest.json.