Security
Security policy for the MTS1B ecosystem.
Reporting a vulnerability
Please do not report security vulnerabilities through public GitHub issues.
Use GitHub Security Advisories on the affected repo, or email [email protected].
Response targets (SLO):
| Severity | Initial response | Target fix |
|---|---|---|
| Critical (RCE, auth bypass) | 24 hours | 7 days |
| High (data exposure, escalation) | 48 hours | 14 days |
| Medium (DoS, info disclosure) | 1 week | 30 days |
| Low (informational) | best-effort | next release |
Supply-chain security
- All releases signed (Sigstore / cosign).
- Dependency updates gated by Dependabot + security audit.
- Container images SBOM-signed.
- License audit runs on every PR (Apache 2.0 / MIT / BSD-2-3 / ISC / MPL-2.0 / Python-2.0 / Unlicense only).
- Secret scanning via gitleaks on every commit.
What MTS1B will never do
- Read or transmit your credentials.
- Auto-execute trades without explicit per-action user confirmation.
- Phone home without explicit telemetry opt-in.
- Bundle proprietary or closed-source code.
- Add new commercial dependencies without a community RFC.
Threat model
MTS1B is defense-in-depth software for institutional-style quant research and trading. The threat surface includes:
- Broker credential theft — we use Vault for all secrets; never in environment vars without redaction.
- Position manipulation — pretrade gates + drawdown halt + broker-exit reconciler all enforce policy.
- Data exfiltration — eventbus is internal-only; external API surface is read-only by default.
- AI bot abuse —
mts1b-githubbotandmts1b-discordbothave rate limits + scope guards. - Plugin malice — plugins from
mts1b-pluginsdkare sandboxed and reviewed before listing in the marketplace.
Self-hosted, by default
MTS1B is designed to run on your own infrastructure. There is no hosted SaaS that owns your data. If you choose to use a cloud provider via mts1b-cloudburst, only the explicit GPU workload runs in the cloud; no positions, fills, or strategy code leaves your boundary.
Pen-test results
(To be added after first external audit, planned for Wave 2.)
Security champions
Each repo has a designated security reviewer listed in CODEOWNERS. Cross-repo concerns escalate to the security team via [email protected].