If you believe you've found a security issue in MarketBot, please report it privately.

• Email: steipete@gmail.com
• What to include: reproduction steps, impact assessment, and (if possible) a minimal PoC.

MarketBot is a labor of love. There is no bug bounty program and no budget for paid reports. Please still disclose responsibly so we can fix issues quickly. The best way to help the project right now is by sending PRs.

• Public Internet Exposure
• Using MarketBot in ways that the docs recommend not to

For threat model + hardening guidance (including marketbot security audit --deep and --fix), see:

• https://docs.marketbot.ai/gateway/security

MarketBot's web interface is intended for local use only. Do not bind it to the public internet; it is not hardened for public exposure.

MarketBot requires Node.js 22.12.0 or later (LTS). This version includes important security patches:

• CVE-2025-59466: async_hooks DoS vulnerability
• CVE-2026-21636: Permission model bypass vulnerability

Verify your Node.js version:

node --version  # Should be v22.12.0 or later

When running MarketBot in Docker:

1. The official image runs as a non-root user (node) for reduced attack surface
2. Use --read-only flag when possible for additional filesystem protection
3. Limit container capabilities with --cap-drop=ALL

Example secure Docker run:

docker run --read-only --cap-drop=ALL \
  -v marketbot-data:/app/data \
  marketbot/marketbot:latest

This project uses detect-secrets for automated secret detection in CI/CD. See .detect-secrets.cfg for configuration and .secrets.baseline for the baseline.

Run locally:

pip install detect-secrets==1.5.0
detect-secrets scan --baseline .secrets.baseline