| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
We take security seriously. If you discover a security vulnerability in Binance Trading System, please report it responsibly.
DO NOT create a public GitHub issue for security vulnerabilities.
Instead, please email us directly at: timujeen@gmail.com
Include the following information in your report:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Any suggested fixes (optional)
- Acknowledgment: We will acknowledge receipt of your report within 48 hours
- Assessment: We will assess the vulnerability and determine its severity within 7 days
- Fix Timeline: Critical vulnerabilities will be addressed within 14 days
- Disclosure: We will coordinate with you on public disclosure timing
The following are in scope for security reports:
- Authentication/Authorization bypass
- API key exposure or leakage
- Encryption weaknesses in credential storage
- SQL injection or database vulnerabilities
- Cross-site scripting (XSS) in LiveView components
- Remote code execution
- Denial of service vulnerabilities
- Trading logic exploits that could cause financial loss
- Issues in dependencies (please report to the respective maintainers)
- Social engineering attacks
- Physical attacks
- Issues requiring physical access to user's device
- Binance API vulnerabilities (please report to Binance directly)
- Never commit API keys to version control
- Use testnet for development and testing
- Enable IP whitelist on Binance for production keys
- Disable withdrawal permissions on API keys
- Rotate API keys regularly (every 90 days recommended)
- Use environment variables for all secrets
- Always use HTTPS in production
- Keep dependencies updated (
mix hex.outdated) - Run security audits (
mix hex.audit) - Enable database SSL in production
- Use strong SECRET_KEY_BASE (minimum 64 characters)
- Monitor logs for suspicious activity
- Use strong PostgreSQL passwords
- Limit database user permissions
- Enable SSL for database connections
- Regular database backups (encrypted)
- Don't expose database ports publicly
This project uses industry-standard encryption:
- API Keys: AES-256-GCM encryption via Cloak
- Passwords: Argon2 hashing
- API Signatures: HMAC-SHA256
We appreciate the security research community. Reporters who follow responsible disclosure will be acknowledged in our release notes (with permission).
Thank you for helping keep Binance Trading System secure!