| Version | Supported |
|---|---|
| 2.1.x | ✅ |
We take security seriously. If you discover a security vulnerability, please follow these steps:
Security vulnerabilities should not be disclosed publicly until they have been addressed.
Send a detailed report to: security@smartportfolio.dev (or open a private security advisory on GitHub)
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
| Action | Timeline |
|---|---|
| Initial response | Within 48 hours |
| Status update | Within 7 days |
| Fix release | Within 30 days (for critical issues) |
After the vulnerability is fixed:
- We will credit you in the release notes (unless you prefer anonymity)
- A CVE may be requested for significant vulnerabilities
When using SmartPortfolio:
- Never commit API keys to version control
- Use environment variables for sensitive configuration
- Keep your
.envfiles in.gitignore
- Market data is fetched from public APIs (yfinance)
- Portfolio weights are stored locally in
outputs/ - No data is transmitted to external servers
- We regularly update dependencies for security patches
- Use
pip install --upgradeto get latest versions - Review dependency changes in pull requests
- This is educational/research software
- Not intended for production trading
- No warranty for financial decisions
For security concerns: security@smartportfolio.dev
For general questions: Open a GitHub Discussion