# Security Policy ## Supported Versions We release patches for security vulnerabilities for the following versions: | Version | Supported | | ------- | ------------------ | | 0.1.x | :white_check_mark: | ## Reporting a Vulnerability We take the security of TradingAgents seriously. If you believe you have found a security vulnerability, please report it to us as described below. **Please do NOT report security vulnerabilities through public GitHub issues.** ### How to Report Please report security vulnerabilities by emailing: **yijia.xiao@cs.ucla.edu** Include the following information in your report: 1. **Type of vulnerability** (e.g., SQL injection, XSS, path traversal) 2. **Full paths of source file(s)** related to the vulnerability 3. **Location** of the affected source code (tag/branch/commit or direct URL) 4. **Step-by-step instructions** to reproduce the issue 5. **Proof-of-concept or exploit code** (if possible) 6. **Impact** of the vulnerability ### What to Expect - We will acknowledge your email within **48 hours** - We will provide a more detailed response within **7 days** - We will work to verify and fix the vulnerability as quickly as possible - We will credit you in our security advisory (unless you prefer to remain anonymous) ## Security Best Practices for Users ### API Key Management 1. **Never commit API keys** to version control 2. **Use environment variables** or `.env` files (which are gitignored) 3. **Rotate keys regularly** - at least every 90 days 4. **Use different keys** for development and production 5. **Monitor API usage** for unusual patterns Example `.env` file: ```bash OPENAI_API_KEY=your_key_here ALPHA_VANTAGE_API_KEY=your_key_here TRADINGAGENTS_DATA_DIR=/path/to/safe/data/directory TRADINGAGENTS_RESULTS_DIR=/path/to/safe/results/directory ``` ### Input Validation Always validate user inputs when using TradingAgents: ```python from tradingagents.utils import validate_ticker, validate_date # Validate ticker try: ticker = validate_ticker(user_input_ticker) except ValueError as e: print(f"Invalid ticker: {e}") # Validate date try: date = validate_date(user_input_date) except ValueError as e: print(f"Invalid date: {e}") ``` ### Secure File Paths The framework now automatically sanitizes file paths. However, you should still: 1. **Never use user input directly** in file paths 2. **Use the built-in sanitization** functions 3. **Validate all file operations** ```python from tradingagents.security import sanitize_path_component from pathlib import Path # Safe file path construction ticker = sanitize_path_component(user_input_ticker) date = sanitize_path_component(user_input_date) safe_path = Path(results_dir) / ticker / date ``` ### Rate Limiting To avoid hitting API rate limits: ```python from tradingagents.security import RateLimiter # Limit to 60 calls per minute @RateLimiter(max_calls=60, period=60) def my_api_call(): # Your API call here pass ``` ### Logging and Monitoring 1. **Enable security logging** in production 2. **Monitor for unusual patterns**: - Excessive API calls - Failed authentication attempts - Unusual ticker symbols 3. **Set up alerts** for security events ### Network Security 1. **Always use HTTPS** for API calls 2. **Verify SSL certificates** 3. **Set appropriate timeouts** 4. **Use VPN or private networks** when possible ### Data Protection 1. **Encrypt sensitive data** at rest 2. **Don't log API keys** or sensitive data 3. **Implement data retention policies** 4. **Follow GDPR/CCPA** if applicable ## Known Security Enhancements The following security enhancements have been implemented: ### Version 0.1.1 (Current) - **Path traversal protection**: All file paths are now sanitized - **Input validation**: Ticker symbols and dates are validated - **API key validation**: Keys are validated before use - **Rate limiting**: Built-in rate limiter to prevent quota exhaustion - **Secure defaults**: Hardcoded paths removed, environment variables used - **URL validation**: Protection against SSRF attacks - **Timeout enforcement**: All network requests have timeouts ### Pending Security Enhancements - Comprehensive test suite with security tests - Automated secret scanning in CI/CD - Dependency vulnerability scanning - Security headers for any web interfaces - Audit logging for security events ## Security Disclosure Policy ### Timeline - **Day 0**: Vulnerability reported to security team - **Day 1-2**: Acknowledgment sent to reporter - **Day 3-7**: Vulnerability verified and severity assessed - **Day 7-30**: Fix developed and tested - **Day 30-45**: Fix released and advisory published - **Day 45+**: Full disclosure (if agreed with reporter) ### Severity Levels | Severity | Description | Response Time | |----------|-------------|---------------| | Critical | Actively exploited, remote code execution, data breach | 24-48 hours | | High | Authentication bypass, privilege escalation | 1 week | | Medium | Information disclosure, DoS | 2 weeks | | Low | Limited impact, requires specific conditions | 1 month | ## Security Acknowledgments We would like to thank the following people for their responsible disclosure of security vulnerabilities: - *Your name could be here!* ## Additional Resources - [OWASP Top 10](https://owasp.org/www-project-top-ten/) - [Python Security Best Practices](https://python.readthedocs.io/en/stable/library/security_warnings.html) - [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework) - [CWE/SANS Top 25](https://www.sans.org/top25-software-errors/) ## Security Contacts - **Security Email**: yijia.xiao@cs.ucla.edu - **GitHub Security Advisories**: https://github.com/TauricResearch/TradingAgents/security/advisories ## Legal This security policy is provided "as is" without warranty of any kind. The TradingAgents team reserves the right to modify this policy at any time. Last updated: 2025-11-14