📢 This documentation relates to the Open-Source Trading Engine upgrade which is launching shortly →
OS Trading Engine
Security
Vulnerability Reporting

Vulnerability Reporting

We take security seriously. If you discover a security vulnerability in Nexgent, please report it responsibly.

⚠️

Do not open public GitHub issues for security vulnerabilities. This could put users at risk before a fix is available.

Reporting Process

1. Identify the Vulnerability

Before reporting, please confirm:

  • The issue is a security vulnerability (not a bug or feature request)
  • The issue affects Nexgent (not a third-party dependency)
  • You can reproduce the issue
  • You have not publicly disclosed the issue

2. Gather Information

Include as much detail as possible:

  • Type of vulnerability (e.g., authentication bypass, SQL injection, XSS)
  • Affected component (e.g., API endpoint, frontend, database)
  • Steps to reproduce
  • Proof of concept (code, screenshots, or video)
  • Potential impact (what could an attacker do?)
  • Suggested fix (if you have one)

3. Submit Report

Email: contact@nexgent.ai

Subject format: [SECURITY] Brief description

Example:

To: contact@nexgent.ai
Subject: [SECURITY] JWT token not properly validated on /api/v1/agents

Description:
The /api/v1/agents endpoint does not validate the JWT token signature,
allowing forged tokens to access protected resources.

Steps to Reproduce:
1. Create a JWT with arbitrary payload and invalid signature
2. Send request to /api/v1/agents with forged token
3. Server returns data without verifying signature

Impact:
Any attacker can access any user's agents by forging JWT tokens.

Suggested Fix:
Add signature verification to the authenticate middleware.

Proof of Concept:
[Attach code or screenshot]

What to Expect

Response Timeline

StageTimeline
Initial acknowledgmentWithin 48 hours
Triage and assessmentWithin 1 week
Fix developmentVaries by severity
Patch releaseAs soon as fix is ready
Public disclosureAfter patch is released

Severity Assessment

SeverityDescriptionExample
CriticalRemote code execution, full database accessSQL injection, RCE
HighAuthentication bypass, sensitive data exposureJWT bypass, key leakage
MediumLimited data access, denial of serviceIDOR, access bypass
LowInformation disclosure, minor issuesVersion disclosure, verbose errors

Scope

In Scope

  • Nexgent backend (nexgent-open-source-trading-engine/backend)
  • Nexgent frontend (nexgent-open-source-trading-engine/frontend)
  • Nexgent shared package (nexgent-open-source-trading-engine/shared)
  • Documentation site (if it processes user data)
  • Official Docker images
  • Official deployment templates

Out of Scope

  • Third-party dependencies (report to the dependency maintainer)
  • Self-hosted instances with modified code
  • Social engineering attacks
  • Physical attacks
  • Denial of service attacks
  • Issues already reported
  • Issues in non-latest versions

Safe Harbor

We follow responsible disclosure practices:

  1. No legal action against researchers who:

    • Report in good faith
    • Do not access or modify user data
    • Do not disrupt services
    • Wait for our response before disclosure

  2. Credit will be given to reporters who:

    • Provide valid, reproducible vulnerabilities
    • Allow reasonable time for fixes
    • Do not publicly disclose before patch

  3. We will not:

    • Take legal action against good-faith researchers
    • Report researchers to law enforcement
    • Penalize for accidental data access during research

Recognition

We maintain a security hall of fame for responsible disclosures:

How to be Credited

  1. Report a valid vulnerability
  2. Provide your name/handle (optional)
  3. Wait for fix and coordinated disclosure
  4. Your name will be added to our security acknowledgments

What We Don't Offer

  • Monetary bounties (we're an open-source project)
  • Swag or merchandise
  • Employment offers

Common Vulnerabilities

If you're looking for issues, here are areas to focus on:

Authentication

  • JWT token validation
  • Refresh token rotation
  • API key verification
  • Session management

Authorization

  • User ID scoping (IDOR)
  • API key scope enforcement
  • Resource ownership checks

Input Validation

  • SQL injection (via Prisma)
  • XSS in frontend
  • Command injection
  • Path traversal

Cryptography

  • Password hashing
  • Token generation
  • Secret management

Configuration

  • Default credentials
  • Exposed debug endpoints
  • Verbose error messages
  • Missing security headers

After Disclosure

Patch Process

  1. Vulnerability confirmed
  2. Fix developed in private branch
  3. Security advisory drafted
  4. Patch released
  5. Advisory published
  6. Users notified

Public Advisory

After the patch is released, we will:

  1. Publish a security advisory on GitHub
  2. Credit the reporter (if desired)
  3. Describe the vulnerability and fix
  4. Recommend upgrade steps

Contact

Primary: contact@nexgent.ai

Backup: Open a private security advisory on GitHub

PGP Key: Available on request for encrypted communication

Resources

Network SecurityHow to Contribute