This project adheres to a strict SecureSDLC to ensure the safety of user funds and API credentials.
- Unofficial Status: This project is community-maintained and not affiliated with Bybit.
- Dependency Minimalization: We keep the dependency tree lean to reduce the attack surface.
- No Persistence of Secrets: The CLI never logs or transmits API secrets to any destination other than the official Bybit API endpoints.
- Local Credentials: API keys are stored in the user's home directory with restricted file permissions.
- Paper Trading First: We provide a full-fidelity paper trading engine to allow strategy testing without financial risk.
- Atomic Flattening: Built-in emergency exit commands (
position flatten) to mitigate algorithmic errors.
- Memory Safety: Built in Rust to prevent buffer overflows and memory corruption.
- Input Validation: Strict schema validation for all user-provided parameters.
- Dry-Run Mode: Every trade command supports a
--validateflag to check the request without submitting.
- Automated Linting: All commits must pass
cargo clippywith zero warnings. - Security Auditing: We run
cargo auditin CI to detect vulnerabilities in dependencies. - Static Analysis: Continuous integration (CI) includes advisory scans for common security pitfalls.
- Signed Artifacts: All official releases are signed with
minisign. - Reproducible Builds: We strive for build reproducibility to ensure the binary matches the source code.
- Provenance Attestation: Release artifacts include GitHub build provenance attestations.
- Bug Bounty: We encourage responsible disclosure of security vulnerabilities.
- Credential Rotation: If a breach is suspected, we provide a
bybit auth resetcommand to wipe local credentials instantly.