We take security seriously at vTicker. If you discover a security vulnerability, please follow responsible disclosure practices.

Do NOT open a public GitHub issue for security vulnerabilities.

Instead, please report security issues by:

1. Email: Send details to the repository maintainers via GitHub
2. GitHub Security Advisory: Use the GitHub Security Advisory feature (preferred)

When reporting a vulnerability, please include:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact assessment
• Suggested fix (if available)
• Your contact information for follow-up

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 7 days
• Status Updates: Every 14 days until resolved
• Fix Timeline: Varies by severity (critical issues prioritized)

When contributing to vTicker:

1. Use npm ci instead of npm install

   • Ensures exact dependency versions from package-lock.json
   • Prevents supply chain attacks from unexpected updates

2. Review Dependabot PRs

   • Check changelogs before approving dependency updates
   • Verify security patches are legitimate

3. Never commit secrets

   • No API keys, tokens, or credentials
   • Use environment variables for sensitive data
   • Check commits before pushing

4. Run security audits

   npm audit

1. Keep dependencies updated

   • Enable Dependabot alerts
   • Review and apply security patches promptly

2. Use environment variables

   • Never hardcode configuration
   • Use .env.local for local development (gitignored)

3. Run in production mode

   npm run build
   npm start

4. Monitor for security advisories

   • Watch this repository for security updates
   • Subscribe to GitHub security notifications

This project implements:

• ✅ Automated dependency scanning (Dependabot)
• ✅ npm audit in CI/CD pipeline
• ✅ Locked dependency versions via package-lock.json
• ✅ Type safety with TypeScript
• ✅ ESLint for code quality
• ✅ Regular security updates

No known security issues at this time.

To protect against npm supply chain attacks:

1. Always use npm ci - Uses exact versions from lock file
2. Verify package-lock.json integrity - Check for unexpected changes
3. Review CI/CD logs - Look for suspicious install scripts
4. Monitor Dependabot alerts - Act on security updates promptly

Watch for:

• Unexpected postinstall scripts in dependencies
• New dependencies you didn't add
• Changes to package-lock.json without corresponding PR
• Unusual network activity during npm install

We follow security best practices inspired by:

• OWASP Top 10
• npm Security Best Practices
• GitHub Security Best Practices

• Coordinated Disclosure: We follow a 90-day disclosure timeline
• Public Disclosure: Security advisories published after fix is available
• Credit: Security researchers will be credited (unless they prefer anonymity)

For non-security issues, please use GitHub Issues.

Thank you for helping keep vTicker secure!