We provide security updates for the following versions:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
If you discover a security vulnerability, please follow these steps:
- Do NOT open a public issue
- Email security details to: [create a security email]
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if known)
- OAuth2 with PKCE flow
- Encrypted token storage
- Automatic token refresh
- No credentials exposed to LLMs
- Local SQLite database with encryption
- Fernet symmetric encryption for tokens
- No sensitive data in logs
- Secure credential handling
- Request/response validation
- Rate limiting on trading operations
- Two-step confirmation for trades
- Comprehensive audit logging
- Regular dependency updates
- Automated security scanning
- Code review requirements
- Minimal privilege principle
We appreciate responsible disclosure of security vulnerabilities. We will:
- Acknowledge receipt within 24 hours
- Provide initial assessment within 72 hours
- Keep you informed of progress
- Credit you in release notes (if desired)
- Release security fixes promptly
Thank you for helping keep our users safe! 🔒