Skip to content

Security: catsika/Hyperliquid-Bot

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

Please report security issues privately using GitHub's private vulnerability reporting flow:

  1. Open the repository Security tab.
  2. Click Report a vulnerability.
  3. Include a clear reproduction, affected versions/commit, and impact.

If private reporting is unavailable, open a minimal public issue without secrets and request a private contact channel.

What to Report

Report anything that could lead to fund loss, credential exposure, or unsafe order behavior, including:

  • Private key, token, or credential leakage
  • Unsafe secret handling or accidental logging of sensitive data
  • Authentication or authorization bypasses
  • Order safety issues (duplicate orders, missing limits, unsafe defaults, failed stop/kill logic)
  • Risk-control bypasses (drawdown/stop-loss/inventory guard failures)
  • Dependency or build-chain vulnerabilities with practical impact

Disclosure Expectations

  • We aim to acknowledge reports within 72 hours (best effort).
  • We aim to provide a remediation status update within 7 days (best effort).
  • Please avoid public disclosure until a fix or mitigation is available.

Key Exposure Guidance

If any key has ever been committed to git history (even if later removed), treat it as compromised:

  1. Revoke/rotate the key immediately.
  2. Replace all affected credentials.
  3. Review account activity and tighten permissions.

Do not rely on history rewrites as a complete mitigation; rotate secrets first.

There aren't any published security advisories