charieswei
/
TradingAgents
mirror of https://github.com/TauricResearch/TradingAgents.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
TradingAgents/SECURITY.md

5.8 KiB
Raw Blame History

Security Policy

Supported Versions

We release patches for security vulnerabilities for the following versions:

Version Supported
0.1.x

Reporting a Vulnerability

We take the security of TradingAgents seriously. If you believe you have found a security vulnerability, please report it to us as described below.

Please do NOT report security vulnerabilities through public GitHub issues.

How to Report

Please report security vulnerabilities by emailing: yijia.xiao@cs.ucla.edu

Include the following information in your report:

  1. Type of vulnerability (e.g., SQL injection, XSS, path traversal)
  2. Full paths of source file(s) related to the vulnerability
  3. Location of the affected source code (tag/branch/commit or direct URL)
  4. Step-by-step instructions to reproduce the issue
  5. Proof-of-concept or exploit code (if possible)
  6. Impact of the vulnerability

What to Expect

  • We will acknowledge your email within 48 hours
  • We will provide a more detailed response within 7 days
  • We will work to verify and fix the vulnerability as quickly as possible
  • We will credit you in our security advisory (unless you prefer to remain anonymous)

Security Best Practices for Users

API Key Management

  1. Never commit API keys to version control
  2. Use environment variables or .env files (which are gitignored)
  3. Rotate keys regularly - at least every 90 days
  4. Use different keys for development and production
  5. Monitor API usage for unusual patterns

Example .env file:

OPENAI_API_KEY=your_key_here
ALPHA_VANTAGE_API_KEY=your_key_here
TRADINGAGENTS_DATA_DIR=/path/to/safe/data/directory
TRADINGAGENTS_RESULTS_DIR=/path/to/safe/results/directory

Input Validation

Always validate user inputs when using TradingAgents:

from tradingagents.utils import validate_ticker, validate_date

# Validate ticker
try:
    ticker = validate_ticker(user_input_ticker)
except ValueError as e:
    print(f"Invalid ticker: {e}")

# Validate date
try:
    date = validate_date(user_input_date)
except ValueError as e:
    print(f"Invalid date: {e}")

Secure File Paths

The framework now automatically sanitizes file paths. However, you should still:

  1. Never use user input directly in file paths
  2. Use the built-in sanitization functions
  3. Validate all file operations
from tradingagents.security import sanitize_path_component
from pathlib import Path

# Safe file path construction
ticker = sanitize_path_component(user_input_ticker)
date = sanitize_path_component(user_input_date)
safe_path = Path(results_dir) / ticker / date

Rate Limiting

To avoid hitting API rate limits:

from tradingagents.security import RateLimiter

# Limit to 60 calls per minute
@RateLimiter(max_calls=60, period=60)
def my_api_call():
    # Your API call here
    pass

Logging and Monitoring

  1. Enable security logging in production
  2. Monitor for unusual patterns:
    • Excessive API calls
    • Failed authentication attempts
    • Unusual ticker symbols
  3. Set up alerts for security events

Network Security

  1. Always use HTTPS for API calls
  2. Verify SSL certificates
  3. Set appropriate timeouts
  4. Use VPN or private networks when possible

Data Protection

  1. Encrypt sensitive data at rest
  2. Don't log API keys or sensitive data
  3. Implement data retention policies
  4. Follow GDPR/CCPA if applicable

Known Security Enhancements

The following security enhancements have been implemented:

Version 0.1.1 (Current)

  • Path traversal protection: All file paths are now sanitized
  • Input validation: Ticker symbols and dates are validated
  • API key validation: Keys are validated before use
  • Rate limiting: Built-in rate limiter to prevent quota exhaustion
  • Secure defaults: Hardcoded paths removed, environment variables used
  • URL validation: Protection against SSRF attacks
  • Timeout enforcement: All network requests have timeouts

Pending Security Enhancements

  • Comprehensive test suite with security tests
  • Automated secret scanning in CI/CD
  • Dependency vulnerability scanning
  • Security headers for any web interfaces
  • Audit logging for security events

Security Disclosure Policy

Timeline

  • Day 0: Vulnerability reported to security team
  • Day 1-2: Acknowledgment sent to reporter
  • Day 3-7: Vulnerability verified and severity assessed
  • Day 7-30: Fix developed and tested
  • Day 30-45: Fix released and advisory published
  • Day 45+: Full disclosure (if agreed with reporter)

Severity Levels

Severity Description Response Time
Critical Actively exploited, remote code execution, data breach 24-48 hours
High Authentication bypass, privilege escalation 1 week
Medium Information disclosure, DoS 2 weeks
Low Limited impact, requires specific conditions 1 month

Security Acknowledgments

We would like to thank the following people for their responsible disclosure of security vulnerabilities:

  • Your name could be here!

Additional Resources

Security Contacts

Legal

This security policy is provided "as is" without warranty of any kind. The TradingAgents team reserves the right to modify this policy at any time.

Last updated: 2025-11-14