docs(polymarket-browse): create SECURITY.md tracking audit findings
- Document fixed security issues from 2026-03-25 audit - Track all 7 security issues and their fixes - Add reporting instructions
This commit is contained in:
shoko
25
skills/polymarket-browse/SECURITY.md
Normal file
25
skills/polymarket-browse/SECURITY.md
Normal file
@@ -0,0 +1,25 @@
|
|||||||
|
# Security Policy
|
||||||
|
|
||||||
|
## Security Audit (2026-03-25)
|
||||||
|
|
||||||
|
This document tracks security issues found during the 2026-03-25 audit.
|
||||||
|
|
||||||
|
## Fixed Issues
|
||||||
|
|
||||||
|
| Issue | Severity | Fixed Date | Fix |
|
||||||
|
|-------|----------|------------|-----|
|
||||||
|
| Telegram bot token in process command line | CRITICAL | 2026-03-25 | Switched to Python urlopen from curl subprocess |
|
||||||
|
| HTML injection in Telegram messages | HIGH | 2026-03-25 | Added escape_html() function |
|
||||||
|
| Insufficient --search URL encoding | MEDIUM | 2026-03-26 | Use urllib.parse.quote() |
|
||||||
|
| --detail bounds not validated | MEDIUM | 2026-03-26 | Error on out of range |
|
||||||
|
| No response size limits | MEDIUM | 2026-03-26 | MAX_RESPONSE_SIZE check |
|
||||||
|
| Bare except: clauses | LOW | 2026-03-26 | Catch specific exceptions |
|
||||||
|
| No API rate limiting | LOW | 2026-03-26 | TokenBucket rate limiter |
|
||||||
|
|
||||||
|
## Open Issues
|
||||||
|
|
||||||
|
All security issues from this audit have been addressed in subsequent releases.
|
||||||
|
|
||||||
|
## Reporting Security Issues
|
||||||
|
|
||||||
|
If you find a security vulnerability, please report it by opening an issue.
|
||||||
Reference in New Issue
Block a user