| Version | Supported |
|---|---|
| 2.x | β |
| 1.x | |
| < 1.0 | β |
If you discover a security vulnerability in this project, please report it responsibly:
- Email: security@fthtrading.com
- PGP Key: Available upon request
- Response SLA: Within 24 hours for initial acknowledgment
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested remediation (if any)
- Report β Send details to the security team
- Acknowledge β We confirm receipt within 24 hours
- Investigate β Our team assesses severity and impact
- Remediate β We develop and test a fix
- Disclose β Coordinated disclosure after fix is deployed
| Level | Response Time | Examples |
|---|---|---|
| π΄ Critical | < 4 hours | Auth bypass, data exfiltration, RCE |
| π High | < 24 hours | Privilege escalation, SQL injection |
| π‘ Medium | < 72 hours | XSS, CSRF, information disclosure |
| π’ Low | < 1 week | Minor configuration issues |
- All code undergoes mandatory security review
- Automated SAST/DAST scanning on every PR
- Annual third-party penetration testing
- SOC 2 Type II compliance maintained
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- Secret management via HashiCorp Vault
- FINRA Rule 4370 Business Continuity Plan maintained
This platform handles sensitive financial data subject to:
- SEC Rule 17a-4 β Electronic record retention
- FINRA Rule 3110 β Supervisory systems
- Gramm-Leach-Bliley Act β Customer financial privacy
- SOX β Internal controls over financial reporting