| Version | Supported |
|---|---|
| 0.x.x | ✅ |
If you discover a security vulnerability, please report it responsibly:
- Do NOT open a public GitHub issue
- Email security concerns to the maintainers (open a private security advisory on GitHub)
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will respond within 48 hours and work with you to understand and address the issue.
- Never commit API keys to version control
- Use environment variables for
KALSHI_API_KEYandKALSHI_PRIVATE_KEY - Rotate keys if you suspect they've been compromised
- The
KALSHI_PRIVATE_KEYis used for RSA-PSS signing - Store it securely (environment variables, secrets manager)
- Never log or expose the private key
- The MCP server runs locally with stdio transport
- It only connects to official Kalshi API endpoints
- No data is sent to third parties
We regularly update dependencies to patch security vulnerabilities. Enable Dependabot alerts on your fork to stay informed.