At NautilusTrader, we take security seriously and appreciate your efforts in helping us identify and fix any vulnerabilities. If you have discovered a security vulnerability, follow the guidelines outlined below.

For our full security policies, see https://nautilustrader.io/security/.

This policy covers:

• NautilusTrader open-source software and official repositories.
• Nautech Systems websites (nautilustrader.io).

Third-party services, exchanges, and data providers are excluded.

Preferred method: GitHub Security Advisories

This allows private disclosure and coordination before public release. You'll receive credit in the security advisory and release notes.

Alternative: Email info@nautechsystems.io

For sensitive reports via email, you may request our PGP key for encrypted communication.

Please include: vulnerability description, reproduction steps, affected versions, and suggested remediation if available.

We commit to:

• Initial response: Within 48 hours of report submission.
• Status update: Within 7 days with initial assessment.
• Fix timeline: Critical vulnerabilities patched within 30 days; other issues within 90 days.
• Coordinated disclosure: We'll work with you to agree on a public disclosure date.

We encourage responsible disclosure of any security vulnerabilities you may discover. When reporting, we ask that you:

• Do not publicly disclose the vulnerability before a fix is available.
• Only exploit the issue to the extent necessary to demonstrate it.
• Do not access unauthorized data or disrupt systems.
• Comply with all applicable laws.

We will acknowledge your contribution in our security advisories and release notes unless you prefer to remain anonymous.

We only support the latest version of NautilusTrader. If you are using an older version, it is possible that vulnerabilities may have been fixed in a later release.

At this time, we do not have a formal bug bounty program. We appreciate any efforts to help us improve the security of our platform and will do our best to properly recognize and credit your contributions.

NautilusTrader employs multiple layers of security to protect against supply chain attacks and vulnerabilities:

• Dependency auditing: Automated security scanning via cargo-deny, cargo-vet, and OSV Scanner (Rust) and Dependabot alerts (Python).
• Code scanning: CodeQL static analysis for Python and Rust code.
• Pre-commit security: Gitleaks credential screening, private key detection, Zizmor GitHub Actions auditing, and Unicode control character detection.
• CODEOWNERS: Critical infrastructure files require Core team review before merge.
• Branch protection: Develop branch requires PR reviews and passing CI checks.
• Build integrity: SLSA build provenance attestations, immutable GitHub Actions pinned to commit SHAs, container digest pinning, and hardened CI runners with network egress monitoring.
• License compliance: Automated checks ensuring LGPL-3.0 compatibility.
• Source restrictions: Rust packages sourced exclusively from crates.io; git dependencies and unknown registries are prohibited.

For our full supply chain security policy, see https://nautilustrader.io/security/supply-chain/.

For detailed CI/CD security practices, see .github/OVERVIEW.md.