Only the latest release on the main branch is actively maintained and receives
security updates.
| Version | Supported |
|---|---|
| latest (main) | ✅ |
| older releases | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
This project manages live cryptocurrency portfolio data and interacts with the Kraken exchange API. Security vulnerabilities should be treated with care.
Please use GitHub's * *Private Vulnerability Reporting ** feature to submit a vulnerability report confidentially.
Alternatively, you may open a GitHub Security Advisory directly from the * Security* tab of this repository.
Please include as much of the following as possible:
- A description of the vulnerability and its potential impact
- Steps to reproduce the issue
- Any relevant logs, screenshots, or proof-of-concept code
- Suggested fix or mitigation (if known)
- Acknowledgement: Within 48 hours of submission
- Status update: Within 7 days with an assessment of severity and planned resolution
- Resolution: Critical vulnerabilities will be prioritized and patched as quickly as possible
This application handles sensitive Kraken API credentials and executes live trades. When deploying:
- Never commit your
rebalancer-config.json— it contains your API keys and is listed in.gitignorefor this reason - Run with the minimum required API permissions on Kraken (Query Funds, Query Open Orders, Create & Modify Orders)
- Consider running in dry-run mode (
dryRun: true) before enabling live trading - Restrict access to the machine running this application
- Regularly rotate your Kraken API keys