| Version | Supported |
|---|---|
| 1.0.x | ✅ |
We take the security of Exchange Gateway seriously. If you discover a security vulnerability, please follow these steps:
Please do not create a public GitHub issue for security vulnerabilities.
Send an email to f148002@gmail.com with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Depends on severity
- Critical: 1-7 days
- High: 7-30 days
- Medium: 30-90 days
- Low: Best effort
- We will work with you to understand and fix the issue
- We will credit you in the security advisory (unless you prefer to remain anonymous)
- We will coordinate disclosure timing with you
When deploying Exchange Gateway:
- Always use HTTPS in production
- Set strong SECRET_KEY and EXCHANGE_ENCRYPTION_KEY
- Use Docker Secrets for sensitive values in production
- Enable IP whitelisting for API keys when possible
- Regularly rotate API keys and encryption keys
- Keep dependencies updated via
pip install -U -r requirements.txt - Monitor audit logs for suspicious activity
- Use rate limiting to prevent abuse
- Exchange account passwords are encrypted with AES-256-GCM
- API keys are hashed with SHA-256 before storage
- JWT tokens expire after 7 days by default
- Webhook URLs are validated (private IPs blocked in production by default)
Security updates will be released as patch versions and announced via:
- GitHub Security Advisories
- CHANGELOG.md
- Release notes