Please report security issues privately using GitHub's private vulnerability reporting flow:
- Open the repository Security tab.
- Click Report a vulnerability.
- Include a clear reproduction, affected versions/commit, and impact.
If private reporting is unavailable, open a minimal public issue without secrets and request a private contact channel.
Report anything that could lead to fund loss, credential exposure, or unsafe order behavior, including:
- Private key, token, or credential leakage
- Unsafe secret handling or accidental logging of sensitive data
- Authentication or authorization bypasses
- Order safety issues (duplicate orders, missing limits, unsafe defaults, failed stop/kill logic)
- Risk-control bypasses (drawdown/stop-loss/inventory guard failures)
- Dependency or build-chain vulnerabilities with practical impact
- We aim to acknowledge reports within 72 hours (best effort).
- We aim to provide a remediation status update within 7 days (best effort).
- Please avoid public disclosure until a fix or mitigation is available.
If any key has ever been committed to git history (even if later removed), treat it as compromised:
- Revoke/rotate the key immediately.
- Replace all affected credentials.
- Review account activity and tighten permissions.
Do not rely on history rewrites as a complete mitigation; rotate secrets first.