Skip to content

Security: openpitkit/pit

SECURITY.md

Security Policy

OpenPit is a pre-trade risk SDK. Security reports are handled privately so maintainers can assess impact and coordinate fixes before public disclosure.

Reporting A Vulnerability

Please do not open a public GitHub issue for a security vulnerability.

Preferred private channel:

Fallback channel:

Include enough detail to reproduce and evaluate the issue:

  • Affected component, binding, version, commit, or configuration.
  • Steps to reproduce or a minimal proof of concept.
  • Expected impact and any known mitigations.
  • Whether the report has been shared with anyone else.

Do not include real credentials, private trading data, customer data, or proprietary production logs.

Response Expectations

Maintainers will acknowledge valid private reports as soon as practical, triage severity, and coordinate next steps with the reporter. Fix timing depends on severity, exploitability, affected versions, and release readiness.

After a fix is available, maintainers may publish a GitHub Security Advisory, release notes, or both, depending on the issue.

There aren't any published security advisories