From 350fe17e872c033577b3a929ce6fbc1f5ac2c667 Mon Sep 17 00:00:00 2001
From: shoko <270575765+shokollm@users.noreply.github.com>
Date: Thu, 26 Mar 2026 19:17:16 +0000
Subject: [PATCH] docs(polymarket-browse): create SECURITY.md tracking audit
 findings

- Document fixed security issues from 2026-03-25 audit
- Track all 7 security issues and their fixes
- Add reporting instructions
---
 skills/polymarket-browse/SECURITY.md | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 skills/polymarket-browse/SECURITY.md

diff --git a/skills/polymarket-browse/SECURITY.md b/skills/polymarket-browse/SECURITY.md
new file mode 100644
index 0000000..5927bbb
--- /dev/null
+++ b/skills/polymarket-browse/SECURITY.md
@@ -0,0 +1,25 @@
+# Security Policy
+
+## Security Audit (2026-03-25)
+
+This document tracks security issues found during the 2026-03-25 audit.
+
+## Fixed Issues
+
+| Issue | Severity | Fixed Date | Fix |
+|-------|----------|------------|-----|
+| Telegram bot token in process command line | CRITICAL | 2026-03-25 | Switched to Python urlopen from curl subprocess |
+| HTML injection in Telegram messages | HIGH | 2026-03-25 | Added escape_html() function |
+| Insufficient --search URL encoding | MEDIUM | 2026-03-26 | Use urllib.parse.quote() |
+| --detail bounds not validated | MEDIUM | 2026-03-26 | Error on out of range |
+| No response size limits | MEDIUM | 2026-03-26 | MAX_RESPONSE_SIZE check |
+| Bare except: clauses | LOW | 2026-03-26 | Catch specific exceptions |
+| No API rate limiting | LOW | 2026-03-26 | TokenBucket rate limiter |
+
+## Open Issues
+
+All security issues from this audit have been addressed in subsequent releases.
+
+## Reporting Security Issues
+
+If you find a security vulnerability, please report it by opening an issue.