|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Overview |
| 4 | + |
| 5 | +The ProjectX Python SDK provides access to trading functionality and financial data. We take security seriously and are committed to ensuring the SDK is secure for all users. This document outlines our security practices and how to report vulnerabilities. |
| 6 | + |
| 7 | +## Supported Versions |
| 8 | + |
| 9 | +We currently provide security updates for the following versions: |
| 10 | + |
| 11 | +| Version | Supported | |
| 12 | +| ------- | ------------------ | |
| 13 | +| 2.0.x | :white_check_mark: | |
| 14 | +| 1.x.x | :x: | |
| 15 | + |
| 16 | +Note: Version 2.0.0 was a complete rewrite with an async-only architecture, and all previous synchronous APIs were removed. |
| 17 | + |
| 18 | +## Reporting a Vulnerability |
| 19 | + |
| 20 | +If you discover a security vulnerability within the ProjectX Python SDK, please follow these steps for responsible disclosure: |
| 21 | + |
| 22 | +1. **DO NOT** disclose the vulnerability publicly or on GitHub issues |
| 23 | +2. Send an email to [email protected] with: |
| 24 | + - A description of the vulnerability |
| 25 | + - Steps to reproduce |
| 26 | + - Potential impact |
| 27 | + - Any suggested mitigations (optional) |
| 28 | +3. Allow us reasonable time to address the issue before public disclosure |
| 29 | + |
| 30 | +## What to Expect |
| 31 | + |
| 32 | +After submitting a security vulnerability: |
| 33 | + |
| 34 | +- We will acknowledge receipt of your report within 48 hours |
| 35 | +- We will provide a more detailed response within 7 days indicating next steps |
| 36 | +- We will work with you to understand and address the issue |
| 37 | +- We will keep you informed about our progress |
| 38 | +- We will credit you when we publish the vulnerability (unless you prefer to remain anonymous) |
| 39 | + |
| 40 | +## Security Update Process |
| 41 | + |
| 42 | +When security vulnerabilities are discovered: |
| 43 | + |
| 44 | +1. We assess the severity and impact |
| 45 | +2. We develop and test a fix |
| 46 | +3. We release a security update with appropriate version bump |
| 47 | +4. We publish a security advisory through GitHub's security advisories feature |
| 48 | +5. For critical issues, we may directly notify users who have provided contact information |
| 49 | + |
| 50 | +## Best Practices for SDK Users |
| 51 | + |
| 52 | +To ensure secure use of the ProjectX Python SDK: |
| 53 | + |
| 54 | +### Authentication & API Keys |
| 55 | + |
| 56 | +- Store API keys and credentials securely using environment variables or secure vaults |
| 57 | +- Never commit API keys to version control |
| 58 | +- Use the recommended config file path (`~/.config/projectx/config.json`) with appropriate file permissions |
| 59 | +- Regularly rotate your API keys |
| 60 | + |
| 61 | +### Network Security |
| 62 | + |
| 63 | +- Use HTTPS connections to the API (default in the SDK) |
| 64 | +- Consider implementing IP restrictions if supported by your broker or trading platform |
| 65 | +- Monitor for unusual API activity |
| 66 | + |
| 67 | +### Dependency Management |
| 68 | + |
| 69 | +- Regularly update the SDK to the latest version |
| 70 | +- Use dependency scanning tools to ensure all dependencies are secure |
| 71 | +- Lock dependency versions for production deployments |
| 72 | + |
| 73 | +### Operational Security |
| 74 | + |
| 75 | +- Implement proper logging for audit trails |
| 76 | +- Consider limiting trade sizes and implementing circuit breakers for automated trading |
| 77 | +- Test extensively before deploying to production |
| 78 | +- Implement monitoring for abnormal behavior |
| 79 | + |
| 80 | +### Code Security |
| 81 | + |
| 82 | +- Validate all input data |
| 83 | +- Do not modify the SDK core unless absolutely necessary |
| 84 | +- If extending the SDK, follow secure coding practices |
| 85 | +- Review the source code of any plugins or extensions before use |
| 86 | + |
| 87 | +## Vulnerability Disclosure Policy |
| 88 | + |
| 89 | +We follow these guidelines for disclosing vulnerabilities: |
| 90 | + |
| 91 | +1. Security issues are addressed promptly |
| 92 | +2. Fixes are thoroughly tested before release |
| 93 | +3. Vulnerabilities are publicly disclosed after a fix is available |
| 94 | +4. Users are encouraged to update as soon as possible |
| 95 | +5. Credits are given to reporters who follow the responsible disclosure process |
| 96 | + |
| 97 | +## Security Contacts |
| 98 | + |
| 99 | +For security concerns, please contact: |
| 100 | + |
| 101 | +- PGP Key: [Security PGP Key](https://projectx.com/pgp-key.txt) |
| 102 | + |
| 103 | +## Compliance |
| 104 | + |
| 105 | +When using this SDK for trading: |
| 106 | +- Ensure compliance with all relevant financial regulations |
| 107 | +- Be aware that this SDK handles financial data that may be subject to additional security requirements |
| 108 | +- Consider implementing additional security measures for production trading systems |
| 109 | + |
| 110 | +We appreciate your efforts in keeping the ProjectX Python SDK and its users secure! |
0 commit comments