Please do not open a public GitHub issue for security reports. Email the maintainer at security@<domain> (replace with your contact) with:
- a description of the issue,
- the affected file path(s) and commit SHA,
- steps to reproduce, and
- the impact you believe it has.
You can expect an initial acknowledgement within 72 hours. Fixes for confirmed issues will be coordinated with you before public disclosure.
Sleipnir handles exchange credentials and signs financial orders. Treat every code path that touches the API key/secret, signs an HTTP request, or submits a Kafka intent as security-sensitive.
The full standing audit lives in docs/SECURITY_AUDIT.md. New issues should be triaged against that document; fixes should reference its finding IDs (e.g. Fixes C3).
These rules are not optional. They cover the most common ways exchange credentials leak.
- Never commit
.envor any file containingBINANCE_API_KEY/BINANCE_API_SECRETto this repo or any fork..envis in.gitignoreand.dockerignore. If you find a secret in git history, treat it as compromised — rotate immediately. - Never paste credentials into a PR description, a CI log, or a Grafana panel screenshot. CI logs are public on this repo.
- Never log raw exchange payloads. Binance WS API responses can echo your
apiKeyin subscription acks. Whitelist fields before logging. See finding H1 in the audit. - Mainnet credentials are out of scope. Sleipnir is testnet-only. The roadmap is explicit about this. Do not configure
BINANCE_REST_URLto a mainnet host. .envpermissions should be0600on developer machines. The codebase does not enforce this; you do.- Secrets in containers must come from runtime injection (Docker secrets, Kubernetes
Secret, env vars set by the orchestrator) — not baked into the image. The.dockerignoreexcludes.envfrom build context to prevent C1-style leaks into builder layers.
- Dependabot is configured under
.github/dependabot.yml(Phase 2 of the roadmap) forgomodandgithub-actions. gosecruns in CI againstinternal/exchange(Phase 2) — HMAC and credential paths.- Pinned image digests for the final
alpinestage are a Phase 8 deliverable. Track CVEs against the current floating tag in the meantime.
- We do not provide a bug bounty.
- We do not promise CVE coordination for low-severity issues.
- Sleipnir is a research artifact. Do not operate mainnet with it. See
docs/ROADMAP.mdPhase F.