If you discover a security vulnerability, please do not open a public issue.
Instead, please report it responsibly:
- Email: Send details to the project maintainers (see repository contacts)
- Include: Description of the vulnerability, steps to reproduce, and potential impact
- Response: We aim to acknowledge reports within 48 hours
Security issues we care about:
- Authentication/authorization bypass in edge functions or RLS policies
- API key exposure in code, logs, or error messages
- Injection vulnerabilities (SQL, XSS, command injection)
- Risk control bypass — any way to circumvent kill switch, position limits, or circuit breakers
- Privilege escalation — accessing admin/CIO functions without proper role
- Vulnerabilities in third-party exchange APIs
- Issues requiring physical access to infrastructure
- Social engineering attacks
- Denial of service (unless it bypasses rate limiting)
This platform implements defense-in-depth:
| Layer | Control |
|---|---|
| Database | Row-Level Security (RLS) with role-based policies |
| Edge Functions | JWT validation, rate limiting, input sanitization |
| Trading | Kill switch, circuit breakers, reduce-only mode |
| Audit | Full audit trail on all state changes |
| Secrets | Exchange keys encrypted with pgcrypto, never exposed to frontend |
We follow a 90-day disclosure policy. After reporting:
- We confirm the issue within 48 hours
- We develop and test a fix
- We release a patch and credit the reporter
- After 90 days, the reporter may publicly disclose
- Never commit real API keys to the repository
- All exchange credentials must be stored as Supabase secrets
- The
.env.examplefiles contain placeholder values only - If you find a leaked key, report it immediately
Thank you for helping keep this project and its users safe.