| Version | Supported |
|---|---|
| 1.x | ✅ |
Do not open a public GitHub issue for security vulnerabilities.
Please report security vulnerabilities via GitHub Private Security Advisories.
For urgent issues you may additionally email: suhay.sevinc@gmail.com
Include in your report:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (optional)
You will receive an acknowledgement within 48 hours and a status update within 7 days.
| Measure | Implementation |
|---|---|
| API key storage | Read from appsettings.json or environment variables; never hardcoded in source |
| Dependency scanning | dotnet list package --vulnerable and npm audit run in CI on every push and weekly |
| Static analysis | CodeQL scans C# and TypeScript/JavaScript on every PR |
| License compliance | No GPL/AGPL dependencies allowed (enforced in CI) |
- CoinGecko API Key: Set via
appsettings.json → MarketData:CoinGecko:ApiKeyor env varMarketData__CoinGecko__ApiKey - LLM provider API key (Claude / Gemini / OpenAI): Set via
appsettings.json → LlmProvider:{Provider}:ApiKeyor env varLlmProvider__{Provider}__ApiKey(e.g.LlmProvider__Claude__ApiKey) - Google OAuth: Set via
dotnet user-secrets set "Authentication:Google:ClientId" "…"(and…:ClientSecret) locally; env vars in production. Registerhttps://<host>/signin-googleas an authorized redirect URI in the Google Cloud console (e.g.https://localhost:5001/signin-googlefor local dev). Optionally setAuthentication:Google:PostLoginRedirectUrito the frontend origin users return to after sign-in (defaults tohttp://localhost:5173). Google sign-in is disabled automatically when noClientIdis configured.
Never commit appsettings.json files containing real API keys. Use appsettings.Development.json (in .gitignore) for local secrets or use .NET User Secrets.