Security Policy

TradeArena is an audit and benchmark framework. It does not execute live trades by default, and public examples are paper-only or offline-friendly.

Please Do Not Submit

API keys, broker credentials, or account tokens.
Raw provider prompt/response caches.
Private portfolios, account statements, or personally identifiable data.
Live-order adapters that submit trades without explicit sandboxing and human approval.
.env files, cookies, private notebook outputs, or local broker/account exports.

For credential leakage, unsafe execution boundaries, prompt/cache exposure, or other security-sensitive issues, email:

weich97@vt.edu

Please include a minimal reproduction and avoid publishing sensitive details in public issues until the report has been triaged.

Adapters that touch brokers, exchanges, or portfolio data must default to one of these modes:

Live execution is out of scope for the public benchmark unless it is explicitly sandboxed and documented as unsafe for unattended use.

Provider and data integrations are opt-in. A safe run should satisfy all of the following:

keys are read from environment variables or an OS secret manager, never from committed files or command-line flags;
raw LLM caches stay under ignored local paths such as data/llm_cache/ or outputs/;
public artifacts use redacted benchmark submissions or cache manifests;
Yahoo Finance, AkShare, and other market-data downloads record source, frequency, symbol universe, timestamp policy, and adjustment assumptions;
broker-facing examples remain paper-only, export-only, or human-approved by default;
errors from provider APIs omit response bodies when those bodies may contain sensitive details.

Revoke or rotate the provider or broker credential immediately.
Remove local cache files that contain the exposed value.
Do not paste the secret into a public issue. Report privately using the address above.
If the secret reached Git history, treat it as compromised even after the file is deleted.