open-git/nofx
1
0
Fork 0
mirror of https://github.com/NoFxAiOS/nofx.git synced 2025-12-06 13:54:41 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
dev
nofx/SECURITY.md
zbhan 2351bb95c3 Feat: Update docs 
- 重构文档结构
- 更新文档内容
- 制定roadmap
- 提供中/EN 双语文档
2025-11-01 15:05:24 -04:00

470 lines
12 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Security Policy / 安全政策
**Languages:** [English](#english) | [中文](#中文)
---
# English
## 🛡️ Security Overview
NOFX is an AI-powered trading system that handles real funds and API credentials. We take security seriously and appreciate the security community's efforts to responsibly disclose vulnerabilities.
**Critical Areas:**
- 🔑 API key storage and handling
- 💰 Trading execution and fund management
- 🔐 Authentication and authorization
- 🗄️ Database security (SQLite)
- 🌐 Web interface and API endpoints
---
## 📋 Supported Versions
We provide security updates for the following versions:
| Version | Supported | Notes |
| ------- | ------------------ | -------------------- |
| 3.x | ✅ Fully supported | Current stable release |
| 2.x | ⚠️ Limited support | Security fixes only |
| < 2.0 | ❌ Not supported | Please upgrade |
**Recommendation:** Always use the latest stable release (v3.x) for best security.
---
## 🔒 Reporting a Vulnerability
### ⚠️ Please DO NOT Publicly Disclose
If you discover a security vulnerability in NOFX, please **DO NOT**:
- ❌ Open a public GitHub Issue
- ❌ Discuss it on social media (Twitter, Reddit, etc.)
- ❌ Share it in Telegram/Discord groups
- ❌ Post it on security forums before we've had time to fix it
Public disclosure before a fix is available puts all users at risk.
### ✅ Responsible Disclosure Process
**Step 1: Report Privately**
Contact core team directly:
- **Tinkle:** [@Web3Tinkle on Twitter](https://x.com/Web3Tinkle) (DM)
**Alternative:** Encrypted communication via [Keybase](https://keybase.io/) (if available)
**Step 2: Include These Details**
```markdown
Subject: [SECURITY] Brief description of vulnerability
## Vulnerability Description
Clear explanation of the security issue
## Affected Components
- Which parts of the system are affected?
- Which versions are vulnerable?
## Reproduction Steps
1. Step-by-step instructions
2. Sample code or commands (if applicable)
3. Expected vs actual behavior
## Potential Impact
- Can funds be stolen?
- Can API keys be leaked?
- Can accounts be compromised?
- Rate the severity: Critical / High / Medium / Low
## Suggested Fix (Optional)
If you have ideas for fixing it, please share!
## Your Information
- Name (or pseudonym)
- Contact info for follow-up
- If you want public credit (yes/no)
```
**Step 3: Wait for Our Response**
We will:
- ✅ Acknowledge receipt within **24 hours**
- ✅ Provide initial assessment within **72 hours**
- ✅ Keep you updated on fix progress
- ✅ Notify you before public disclosure
---
## ⏱️ Response Timeline
| Stage | Timeline | Action |
|-------|----------|--------|
| **Acknowledgment** | 24 hours | Confirm we received your report |
| **Initial Assessment** | 72 hours | Verify vulnerability, rate severity |
| **Fix Development** | 7-30 days | Depends on complexity and severity |
| **Testing** | 3-7 days | Verify fix doesn't break functionality |
| **Public Disclosure** | After fix deployed | Publish security advisory |
**Critical vulnerabilities** (fund theft, credential leaks) are prioritized and may be fixed within 48 hours.
---
## 💰 Security Bounty Program (Optional)
We offer rewards for valid security vulnerabilities:
| Severity | Criteria | Reward |
|----------|----------|--------|
| **🔴 Critical** | Fund theft, API key extraction, RCE | **$500-1000 USD** |
| **🟠 High** | Authentication bypass, unauthorized trading | **$200-500 USD** |
| **🟡 Medium** | Information disclosure, XSS, CSRF | **$100-200 USD** |
| **🟢 Low** | Security improvements, minor issues | **$50-100 USD or Recognition** |
**Note:** Bounty amounts are at maintainers' discretion based on:
- Severity and impact
- Quality of report
- Ease of exploitation
- Number of affected users
**Out of Scope (No Bounty):**
- Issues in third-party libraries (report to them directly)
- Social engineering attacks
- DoS/DDoS attacks
- Issues requiring physical access
- Previously known/reported vulnerabilities
---
## 🔐 Security Best Practices (For Users)
To keep your NOFX deployment secure:
### 1. API Key Management
```bash
# ✅ DO: Use environment variables
export BINANCE_API_KEY="your_key"
export BINANCE_SECRET_KEY="your_secret"
# ❌ DON'T: Hardcode in source files
api_key = "abc123..." # NEVER DO THIS
```
### 2. Database Security
```bash
# ✅ Set proper permissions
chmod 600 nofx.db
chmod 600 config.json
# ❌ DON'T: Leave files world-readable
chmod 777 nofx.db # NEVER DO THIS
```
### 3. Network Security
```bash
# ✅ Use firewall to restrict API access
# Only allow localhost to access API server
iptables -A INPUT -p tcp --dport 8080 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
# ❌ DON'T: Expose API to public internet without authentication
```
### 4. Use Subaccounts
- Create dedicated Binance subaccount for trading
- Limit maximum balance
- Restrict withdrawal permissions
- Use IP whitelist
### 5. Test on Testnet First
- Hyperliquid: Use testnet mode
- Binance: Use testnet API (https://testnet.binancefuture.com)
- Never test with real funds initially
### 6. Regular Updates
```bash
# Check for updates regularly
git pull origin main
go build -o nofx
# Subscribe to security advisories
# Watch GitHub releases: https://github.com/tinkle-community/nofx/releases
```
---
## 🚨 Security Advisories
Past security advisories will be published here:
### 2025-XX-XX: [Title]
- **Severity:** [Critical/High/Medium/Low]
- **Affected Versions:** [x.x.x - x.x.x]
- **Fixed in:** [x.x.x]
- **Description:** [Brief description]
- **Mitigation:** [How to protect yourself]
*No security advisories have been published yet.*
---
## 🙏 Security Researchers Hall of Fame
We thank the following security researchers for responsibly disclosing vulnerabilities:
*No reports have been submitted yet. Be the first!*
---
## 📚 Additional Resources
**Security Documentation:**
- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
- [CWE Top 25](https://cwe.mitre.org/top25/)
- [Binance API Security Best Practices](https://www.binance.com/en/support/faq/360002502072)
**Audit Reports:**
- No third-party audits completed yet
- Self-audit checklist: [TODO: Add link]
---
## 📞 Contact
**For security issues ONLY:**
- 🐦 **Twitter DM:** [@Web3Tinkle](https://x.com/Web3Tinkle)
**For general questions:**
- See [CONTRIBUTING.md](CONTRIBUTING.md)
- Join [Telegram Community](https://t.me/nofx_dev_community)
---
**Thank you for helping keep NOFX secure!** 🔒
---
# 中文
## 🛡️ 安全概述
NOFX 是一个处理真实资金和 API 凭证的 AI 交易系统。我们非常重视安全,并感谢安全社区负责任地披露漏洞的努力。
**关键领域:**
- 🔑 API 密钥存储和处理
- 💰 交易执行和资金管理
- 🔐 身份验证和授权
- 🗄️ 数据库安全SQLite
- 🌐 Web 界面和 API 端点
---
## 📋 支持的版本
我们为以下版本提供安全更新:
| 版本 | 支持状态 | 说明 |
| ------- | ------------------ | -------------------- |
| 3.x | ✅ 完全支持 | 当前稳定版本 |
| 2.x | ⚠️ 有限支持 | 仅安全修复 |
| < 2.0 | ❌ 不支持 | 请升级 |
**建议:** 始终使用最新的稳定版本v3.x以获得最佳安全性。
---
## 🔒 报告漏洞
### ⚠️ 请勿公开披露
如果您在 NOFX 中发现安全漏洞,请**不要**
- ❌ 公开创建 GitHub Issue
- ❌ 在社交媒体上讨论Twitter、Reddit 等)
- ❌ 在 Telegram/Discord 群组中分享
- ❌ 在我们有时间修复之前发布到安全论坛
在修复可用之前公开披露会使所有用户面临风险。
### ✅ 负责任的披露流程
**步骤 1私下报告**
直接联系核心团队:
- **Tinkle:** [@Web3Tinkle on Twitter](https://x.com/Web3Tinkle)(私信)
**替代方案:** 通过 [Keybase](https://keybase.io/) 加密通信(如果可用)
**步骤 2包含这些详细信息**
```markdown
主题:[SECURITY] 漏洞简要描述
## 漏洞描述
清楚解释安全问题
## 受影响的组件
- 系统的哪些部分受到影响?
- 哪些版本存在漏洞?
## 复现步骤
1. 逐步说明
2. 示例代码或命令(如果适用)
3. 预期行为 vs 实际行为
## 潜在影响
- 资金是否可能被盗?
- API 密钥是否可能泄露?
- 账户是否可能被入侵?
- 严重程度评级:严重 / 高 / 中 / 低
## 建议修复(可选)
如果您有修复的想法,请分享!
## 您的信息
- 姓名(或化名)
- 后续联系信息
- 是否希望公开致谢(是/否)
```
**步骤 3等待我们的回复**
我们将:
- ✅ 在 **24 小时**内确认收到
- ✅ 在 **72 小时**内提供初步评估
- ✅ 告知您修复进展
- ✅ 在公开披露前通知您
---
## ⏱️ 响应时间表
| 阶段 | 时间线 | 行动 |
|-------|----------|--------|
| **确认** | 24 小时 | 确认我们收到了您的报告 |
| **初步评估** | 72 小时 | 验证漏洞,评估严重程度 |
| **修复开发** | 7-30 天 | 取决于复杂性和严重程度 |
| **测试** | 3-7 天 | 验证修复不会破坏功能 |
| **公开披露** | 修复部署后 | 发布安全公告 |
**严重漏洞**(资金盗窃、凭证泄露)会优先处理,可能在 48 小时内修复。
---
## 💰 安全奖励计划(可选)
我们为有效的安全漏洞提供奖励:
| 严重程度 | 标准 | 奖励 |
|----------|----------|--------|
| **🔴 严重** | 资金盗窃、API 密钥提取、RCE | **$500-1000 USD** |
| **🟠 高** | 认证绕过、未授权交易 | **$200-500 USD** |
| **🟡 中** | 信息泄露、XSS、CSRF | **$100-200 USD** |
| **🟢 低** | 安全改进、小问题 | **$50-100 USD 或致谢** |
**注意:** 奖励金额由维护者根据以下因素酌情决定:
- 严重性和影响
- 报告质量
- 利用难易度
- 受影响用户数量
**不在范围内(无奖励):**
- 第三方库的问题(直接向他们报告)
- 社会工程攻击
- DoS/DDoS 攻击
- 需要物理访问的问题
- 已知/已报告的漏洞
---
## 🔐 安全最佳实践(用户指南)
保护您的 NOFX 部署安全:
### 1. API 密钥管理
```bash
# ✅ 正确:使用环境变量
export BINANCE_API_KEY="your_key"
export BINANCE_SECRET_KEY="your_secret"
# ❌ 错误:在源文件中硬编码
api_key = "abc123..." # 永远不要这样做
```
### 2. 数据库安全
```bash
# ✅ 设置适当的权限
chmod 600 nofx.db
chmod 600 config.json
# ❌ 不要:让文件全局可读
chmod 777 nofx.db # 永远不要这样做
```
### 3. 网络安全
```bash
# ✅ 使用防火墙限制 API 访问
# 仅允许本地访问 API 服务器
iptables -A INPUT -p tcp --dport 8080 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
# ❌ 不要:在没有身份验证的情况下将 API 暴露到公共互联网
```
### 4. 使用子账户
- 为交易创建专用的 Binance 子账户
- 限制最大余额
- 限制提现权限
- 使用 IP 白名单
### 5. 先在测试网上测试
- Hyperliquid使用测试网模式
- Binance使用测试网 API (https://testnet.binancefuture.com)
- 最初永远不要用真实资金测试
### 6. 定期更新
```bash
# 定期检查更新
git pull origin main
go build -o nofx
# 订阅安全公告
# 关注 GitHub 发布https://github.com/tinkle-community/nofx/releases
```
---
## 🚨 安全公告
过去的安全公告将在此发布:
### 2025-XX-XX: [标题]
- **严重程度:** [严重/高/中/低]
- **受影响版本:** [x.x.x - x.x.x]
- **已修复版本:** [x.x.x]
- **描述:** [简要描述]
- **缓解措施:** [如何保护自己]
*尚未发布任何安全公告。*
---
## 🙏 安全研究员名人堂
我们感谢以下安全研究员负责任地披露漏洞:
*尚未收到任何报告。成为第一个!*
---
## 📞 联系方式
**仅限安全问题:**
- 🐦 **Twitter 私信:** [@Web3Tinkle](https://x.com/Web3Tinkle)
**一般问题:**
- 加入 [Telegram 社区](https://t.me/nofx_dev_community)
---
**感谢您帮助保持 NOFX 的安全!** 🔒
Reference in New Issue View Git Blame Copy Permalink