OpenPit is a pre-trade risk SDK. Security reports are handled privately so maintainers can assess impact and coordinate fixes before public disclosure.
Please do not open a public GitHub issue for a security vulnerability.
Preferred private channel:
- Open a private report through GitHub Security Advisories.
Fallback channel:
- Email maintainers@palchukovsky.com if GitHub Security Advisories are not available to you.
Include enough detail to reproduce and evaluate the issue:
- Affected component, binding, version, commit, or configuration.
- Steps to reproduce or a minimal proof of concept.
- Expected impact and any known mitigations.
- Whether the report has been shared with anyone else.
Do not include real credentials, private trading data, customer data, or proprietary production logs.
Maintainers will acknowledge valid private reports as soon as practical, triage severity, and coordinate next steps with the reporter. Fix timing depends on severity, exploitability, affected versions, and release readiness.
After a fix is available, maintainers may publish a GitHub Security Advisory, release notes, or both, depending on the issue.