Skip to content

Security: NexusHero/ElliotWaveAnalyzer

SECURITY.md

Security Policy

Supported Versions

Version Supported
1.x

Reporting a Vulnerability

Do not open a public GitHub issue for security vulnerabilities.

Please report security vulnerabilities via GitHub Private Security Advisories.

For urgent issues you may additionally email: suhay.sevinc@gmail.com

Include in your report:

  • A description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Suggested fix (optional)

You will receive an acknowledgement within 48 hours and a status update within 7 days.

Security Measures

Measure Implementation
API key storage Read from appsettings.json or environment variables; never hardcoded in source
Dependency scanning dotnet list package --vulnerable and npm audit run in CI on every push and weekly
Static analysis CodeQL scans C# and TypeScript/JavaScript on every PR
License compliance No GPL/AGPL dependencies allowed (enforced in CI)

API Keys

  • CoinGecko API Key: Set via appsettings.json → MarketData:CoinGecko:ApiKey or env var MarketData__CoinGecko__ApiKey
  • LLM provider API key (Claude / Gemini / OpenAI): Set via appsettings.json → LlmProvider:{Provider}:ApiKey or env var LlmProvider__{Provider}__ApiKey (e.g. LlmProvider__Claude__ApiKey)
  • Google OAuth: Set via dotnet user-secrets set "Authentication:Google:ClientId" "…" (and …:ClientSecret) locally; env vars in production. Register https://<host>/signin-google as an authorized redirect URI in the Google Cloud console (e.g. https://localhost:5001/signin-google for local dev). Optionally set Authentication:Google:PostLoginRedirectUri to the frontend origin users return to after sign-in (defaults to http://localhost:5173). Google sign-in is disabled automatically when no ClientId is configured.

Never commit appsettings.json files containing real API keys. Use appsettings.Development.json (in .gitignore) for local secrets or use .NET User Secrets.

There aren't any published security advisories