We release patches for security vulnerabilities in the following versions:

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

1. Do NOT open a public GitHub issue for security vulnerabilities.

2. Email the maintainer directly or use GitHub's private vulnerability reporting feature:

   • Go to the repository's Security tab
   • Click "Report a vulnerability"
   • Provide detailed information about the vulnerability

When reporting a vulnerability, please include:

• A description of the vulnerability
• Steps to reproduce the issue
• Potential impact assessment
• Any suggested fixes (optional)

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Resolution Target: Within 30 days for critical issues

1. We will acknowledge receipt of your report
2. We will investigate and validate the vulnerability
3. We will work on a fix and coordinate disclosure timing
4. We will credit you in the security advisory (unless you prefer anonymity)

This project implements the following security practices:

• Ruff with Bandit rules (S): Automated security vulnerability detection
• CodeQL scanning: Weekly security analysis via GitHub Actions
• Pre-commit hooks: Validate code before commits

• Renovate: Automated dependency updates
• Dependabot alerts: GitHub security alerts for vulnerable dependencies
• Lock files: Reproducible builds with uv.lock

• All changes require pull request review
• CI/CD must pass before merging
• Security-sensitive changes receive additional scrutiny

This is a simulation/demonstration project and should not be used for:

• Actual financial trading decisions
• Production financial systems
• Handling sensitive financial data

The random portfolio simulations are for educational and research purposes only.