Skip to content

Security: watthem/matchstick-trading

Security

SECURITY.md

Security Policy

Supported Versions

Version Supported
0.0.2
< 0.0.2

Demo Repository Notice

This is a demo repository with simulated functionality. It does not handle:

  • Real trading data
  • Live broker connections
  • Actual financial transactions
  • Production credentials

However, we still take security seriously for:

  • Code quality and safety
  • Dependency vulnerabilities
  • Best practices demonstration

Reporting a Vulnerability

If you discover a security vulnerability in this demo code, please report it by:

Email

Send details to: [email protected]

What to Include

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Suggested fix (if any)

Response Timeline

  • Initial Response: Within 48 hours
  • Status Update: Within 7 days
  • Fix Timeline: Depends on severity

Security Best Practices

This demo follows Rust security best practices:

Dependencies

  • Regular cargo audit checks
  • Minimal dependency footprint
  • Well-maintained crates only

Code Quality

  • No unsafe code in demo
  • Clippy lints enforced
  • Input validation

Data Handling

  • No sensitive data in demo
  • Local file storage only
  • No external API calls (mock only)

Scope

In Scope

  • Dependency vulnerabilities
  • Code injection possibilities
  • Unsafe memory access
  • Path traversal issues

Out of Scope

  • Trading strategy vulnerabilities (demo only)
  • Performance issues
  • UI/UX bugs
  • Feature requests

Production Security

Note: This demo does not represent production security measures. Production Matchstick includes:

  • Enterprise-grade authentication
  • Encrypted credential storage
  • Audit logging
  • Rate limiting
  • TLS/SSL for all connections
  • SOC 2 compliance (planned)

For production security details, visit matchstick.trading

Disclosure Policy

We follow responsible disclosure:

  1. Report sent to [email protected]
  2. We acknowledge receipt within 48 hours
  3. We investigate and develop fix
  4. We release patched version
  5. Public disclosure after users can update

Security Updates

Security updates will be:

  • Released as patch versions (e.g., 0.0.3)
  • Documented in CHANGELOG.md
  • Announced via GitHub Security Advisories
  • Noted in release notes

Contact

Thank you for helping keep Matchstick and its users safe!

There aren’t any published security advisories