If you discover a security vulnerability, please report it responsibly:

1. Do NOT open a public issue.
2. Use the GitHub Security Advisory to report privately.
3. Include steps to reproduce, potential impact, and any suggested fixes.

We will acknowledge your report within 5 business days and work with you to resolve the issue.

This policy applies to the HKUDS/Vibe-Trading repository.

Vibe-Trading is an open-source finance research tool. We will never ask you to "verify", connect, or sign with a crypto wallet to join our community, claim an airdrop, or unlock features — any such prompt is a scam.

• Our only official Discord is https://discord.gg/6TdQnT5xcF (the HKUDS community server, also linked from the README). Treat any other "Vibe-Trading" Discord as an impostor.
• If a Discord or website asks you to connect/sign a wallet for "verification", do not do it. If you already did, move your funds to a fresh wallet and revoke approvals (e.g. via revoke.cash).

See the pinned security announcement in Discussions for the 2026-06-18 impostor-Discord incident.

• Please do not publicly disclose the vulnerability until we have released a fix.
• We will credit reporters in the release notes (unless you prefer anonymity).