| Version | Supported |
|---|---|
| latest | ✅ |
| < latest | ❌ |
If you discover a security vulnerability, please report it responsibly:
- Do NOT open a public issue.
- Use GitHub Security Advisories to privately report the vulnerability.
- Alternatively, email:
9169332+GeiserX@users.noreply.github.com
Response timeline:
- Acknowledgment: within 72 hours
- Assessment: within 1 week
- Fix: as soon as reasonably possible
- All credentials (IBKR accounts, bot tokens) are stored in environment variables or
.envfiles, never in code. .envandconfig.yamlare gitignored.
- IB Gateway ports are bound to
127.0.0.1only (not exposed to network). - Each gateway container runs with its own credentials.
- VNC ports (for debugging) are also localhost-only.
- Every trade requires explicit user confirmation via Telegram bot before execution.
- Position limits per-account to prevent over-allocation.
- Margin compliance checks (soft alerts or hard auto-sell enforcement).
- Application container runs as non-root user.
- Read-only filesystem with tmpfs for temporary files.
- All capabilities dropped (
cap_drop: ALL). - No privilege escalation (
no-new-privileges).
- Run behind a firewall — no ports need to be exposed to the internet.
- Use strong, unique passwords for IBKR accounts.
- Enable 2FA on all IBKR accounts.
- Regularly rotate the Telegram bot token.
- Monitor the trade execution log for unexpected activity.