We actively maintain and provide security updates for the following versions:
| Version | Supported |
|---|---|
| 2.0.x | β |
| 1.x.x | β |
We take security vulnerabilities seriously. If you discover a security vulnerability, please follow these guidelines:
DO NOT create public GitHub issues for security vulnerabilities. Instead, please:
- Email us directly at: security@hyperliquid-copytrader.com
- Include detailed information about the vulnerability
- Provide steps to reproduce if possible
- Wait for our response before making any public disclosure
When reporting a vulnerability, please include:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Suggested fix (if you have one)
- Your contact information for follow-up
- Initial Response: Within 48 hours
- Detailed Assessment: Within 1 week
- Fix Development: 2-4 weeks (depending on complexity)
- Public Disclosure: After fix is released
To help keep your deployment secure:
- Never share your HyperLiquid API private keys
- Use read-only keys when possible
- Rotate keys regularly (monthly recommended)
- Monitor API usage for unusual activity
- Keep your VPS updated with latest security patches
- Use SSH key authentication instead of passwords
- Enable fail2ban or similar intrusion prevention
- Monitor logs for suspicious activity
- Use a firewall to restrict unnecessary ports
- Run with minimal privileges (don't use root)
- Keep dependencies updated regularly
- Use secure networks (avoid public WiFi)
- Enable logging for audit trails
- Backup configurations securely
- Start with small amounts to test functionality
- Set reasonable trade limits to minimize exposure
- Monitor positions regularly
- Have emergency stop procedures ready
- Keep offline backups of important data
- The application connects to remote servers via SSH
- API keys are transmitted to HyperLiquid servers
- Consider using VPN for additional network security
- Credentials are stored in system keyring
- Logs may contain sensitive trading information
- Configuration files should have restricted permissions
- We regularly audit third-party dependencies
- Automatic updates may introduce vulnerabilities
- Consider pinning dependency versions in production
Before deploying, verify:
- API keys have minimal required permissions
- SSH access is properly secured
- Server is hardened and updated
- Monitoring and alerting is configured
- Backup and recovery procedures are tested
- Trade limits are appropriately set
- Network connections are secured
For production deployments with significant capital:
- Consider professional security auditing
- Implement additional monitoring solutions
- Use multi-signature wallets where possible
- Implement circuit breakers for unusual activity
If you discover an active exploit or urgent security issue:
- Immediate: Email security@hyperliquid-copytrader.com
- Critical: Contact project maintainers directly via GitHub
- Public Safety: If user funds are at immediate risk, consider responsible public disclosure
We appreciate security researchers who help keep our project safe:
- Acknowledgment in our security advisory (if desired)
- Attribution in release notes
- Direct communication with development team
- Consideration for bug bounty (if program is active)
Remember: Security is a shared responsibility. While we work hard to make our software secure, proper configuration and operational security are equally important for protecting your assets.