We take the security of the Kaleidoswap SDK seriously. If you have discovered a security vulnerability, please report it to us responsibly.

Please DO NOT open a public issue for security vulnerabilities. Instead, please report security issues by emailing:

security@kaleidoswap.com

When reporting a vulnerability, please include:

• A description of the vulnerability
• Steps to reproduce the issue
• Potential impact of the vulnerability
• Any suggested fixes (if applicable)
• Your contact information for follow-up questions

• Initial Response: We aim to respond to security reports within 48 hours
• Status Updates: We will provide status updates every 7 days until the issue is resolved
• Fix Timeline: We will work to fix confirmed vulnerabilities as quickly as possible, typically within 30 days

• Please give us reasonable time to investigate and fix the issue before making it public
• We will credit researchers who report vulnerabilities responsibly (unless you prefer to remain anonymous)
• Once a fix is released, we will publish a security advisory with details about the vulnerability and the fix

We currently provide security updates for the following versions:

When using the Kaleidoswap SDK, please follow these security best practices:

• Never commit API keys, private keys, or secrets to version control
• Use environment variables or secure secret management solutions
• Rotate API keys regularly
• Use different API keys for development, staging, and production environments

• Always use HTTPS for API connections in production
• Validate SSL certificates
• Use WebSocket Secure (WSS) for WebSocket connections
• Implement proper timeout and retry mechanisms

• Always validate and sanitize user inputs
• Verify asset IDs and amounts before executing swaps
• Implement proper error handling for all API calls
• Use the SDK's built-in validation methods

• Respect API rate limits
• Implement exponential backoff for retries
• Cache responses when appropriate to reduce API calls
• Monitor your API usage

• Keep the SDK and its dependencies up to date
• Regularly check for security advisories
• Use npm audit (TypeScript) or safety check (Python) to scan for vulnerabilities
• Enable dependabot or similar tools for automated dependency updates

• Never log sensitive information (API keys, private keys, payment data)
• Sanitize logs before sending to external services
• Implement proper log rotation and retention policies

• Use the latest stable version of the SDK
• Enable security headers and CORS properly
• Implement rate limiting on your application layer
• Use a Web Application Firewall (WAF) for additional protection
• Monitor for suspicious activities and failed authentication attempts

• WebSocket connections should always use WSS (WebSocket Secure) in production
• Implement proper authentication and authorization for WebSocket connections
• Monitor WebSocket connections for abnormal behavior

• Always verify swap parameters before execution
• Implement proper timeout mechanisms for swap operations
• Monitor swap status and handle failures appropriately
• Keep backup of swap strings and payment hashes for recovery

• Verify RGB asset IDs before transactions
• Implement proper asset validation
• Use checksums and signatures when available

The Kaleidoswap SDK is designed to be compliant with:

• SOC 2 Type II standards

Security updates and advisories will be published:

1. In the CHANGELOG.md file
2. As GitHub Security Advisories
3. Via email to registered users (if you've opted in)

For security-related questions or concerns, please contact:

• Email: security@kaleidoswap.com
• PGP Key: Available upon request

Last updated: 2024-11-20