| Version | Supported |
|---|---|
| 0.x | Yes |
If you discover a security vulnerability, please report it responsibly through private channels.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please use GitHub Security Advisories to report vulnerabilities privately. This ensures the issue can be addressed before public disclosure.
When reporting, please include:
- A description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Suggested fix (if any)
We aim to acknowledge reports within 48 hours and provide a fix timeline within 7 days.
This policy applies to the @polybot/sdk npm package and this repository. Third-party dependencies are out of scope, but we appreciate reports about vulnerable dependencies.
This SDK handles:
- Private keys for Ethereum/Polygon signing (via
lib/ethereum/) - API credentials for Polymarket CLOB access
- Financial operations (order placement, position management)
All credential objects are wrapped with opaque markers and auto-redacted from logs. Never store secrets in code, environment variables in version control, or unencrypted on disk.