Do not open a public GitHub issue for security vulnerabilities.

This bot handles private keys and can execute real trades. Security issues must be reported privately.

Email: security@polymarket-bot.dev

Include in your report:

• Description of the vulnerability
• Steps to reproduce
• Potential impact (key exposure, unauthorized trades, data leakage)
• Suggested fix if you have one

You will receive acknowledgment within 48 hours and a fix timeline within 7 days.

In scope:

• Private key exposure or leakage
• Unauthorized trade execution
• SQL injection in database queries
• Command injection via subprocess calls
• Dependency vulnerabilities with direct exploitability
• Configuration parsing that could leak secrets

Out of scope:

• Rate limiting on Polymarket's API
• Issues requiring physical access
• Social engineering

• All credentials are read from environment variables or config.yaml, never hardcoded
• execution/live.py submits real orders to the Polymarket CLOB — it is guarded by mode: paper default and explicit --live flag
• The bot spawns Claude CLI as a subprocess; ANTHROPIC_API_KEY must be in the shell environment
• Private keys are never logged or written to the database