Currently supported versions with security updates:
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
- DO NOT open a public GitHub issue for security vulnerabilities
- Email your findings to the maintainers (see repository contact information)
- Or use GitHub's private vulnerability reporting feature
Please provide:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Any suggested fixes (if applicable)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Resolution Target: Within 30 days (depending on severity)
| Level | Description | Example |
|---|---|---|
| Critical | Immediate threat to user funds or data | Private key exposure, authentication bypass |
| High | Significant security impact | API credential leakage, injection vulnerabilities |
| Medium | Moderate security impact | Information disclosure, rate limit bypass |
| Low | Minor security impact | Non-sensitive information exposure |
When using ccxt-rust:
// DO: Use environment variables
let api_key = std::env::var("API_KEY").expect("API_KEY required");
let secret = std::env::var("API_SECRET").expect("API_SECRET required");
let config = ExchangeConfig::default()
.with_api_key(&api_key)
.with_secret(&secret);
// DON'T: Hardcode credentials
// let config = ExchangeConfig::default()
// .with_api_key("hardcoded-key") // NEVER do this
// .with_secret("hardcoded-secret");// Use sandbox mode for development
let config = ExchangeConfig::default()
.with_sandbox(true); // Use testnet APIs- Respect exchange rate limits
- Implement exponential backoff for retries
- Monitor for 429 (Too Many Requests) responses
- All connections use HTTPS/WSS
- TLS certificates are verified by default
- Consider using VPN for additional security
- API keys may have withdrawal permissions - use read-only keys when possible
- IP whitelisting is recommended for trading keys
- Enable 2FA on exchange accounts
- WebSocket connections are encrypted (WSS)
- Authentication tokens expire - handle reconnection appropriately
- Private channels require proper authentication
- Private key management is critical for DEX operations
- Never expose mnemonic phrases or private keys
- Use hardware wallets when possible for signing
This project has not undergone a formal security audit. Users should:
- Review the code before use in production
- Start with small amounts for testing
- Monitor transactions and positions actively
We follow responsible disclosure practices:
- Reporters will be credited (unless anonymity is requested)
- We aim to fix vulnerabilities before public disclosure
- Coordinated disclosure timeline will be agreed upon
For security concerns, please use:
- GitHub Security Advisories (preferred)
- Repository issue tracker (for non-sensitive security improvements)
Thank you for helping keep ccxt-rust secure!