Security & Disclosure

1. Our Security Posture

StockTrendz AI™ employs industry-standard security measures to protect your account and data:

• Encryption: All data is encrypted using TLS 1.3 in transit and AES-256 at rest.
• Authentication: We use secure JWT-based authentication with 30-day sessions stored exclusively in HttpOnly cookies.
• Cookie-Only Storage: Authentication tokens are stored exclusively in HttpOnly, Secure, SameSite=Strict cookies. We do not store sensitive tokens in localStorage, which protects against XSS-based token theft.
• CSRF Protection: All authenticated state-changing requests require a valid CSRF token, protecting your session from cross-site request forgery.
• Infrastructure: Hosted on AWS with strict security group configurations and VPC isolation.
• Monitoring: Continuous logging and monitoring of API access and infrastructure health.
• OAuth Safety: We use Zerodha and Google OAuth 2.0, meaning we never see or store your primary broker/provider passwords.

2. Responsible Disclosure Policy

If you believe you have found a security vulnerability in our platform, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem.

Safe Harbor: We will not take legal action against you or ask law enforcement to investigate you provided you comply with our disclosure guidelines.

3. Vulnerability Reporting

To report a vulnerability, please email security@stocktrendz.in with the following details:

• A description of the vulnerability and its potential impact.
• Steps to reproduce the issue (proof-of-concept scripts or screenshots are helpful).
• Your contact information for follow-up questions.

We acknowledge receipt of reports within 48 hours and provide status updates during the remediation process.

4. Scope

In-scope:

• Main application: stocktrendz.in
• API endpoints: stocktrendz.in/api/*
• User data exposure or authentication bypasses.

Out-of-scope:

• DDoS or DoS attacks.
• Social engineering or phishing of our employees/users.
• Physical security of our offices or data centers.

5. Bounty Program

While we do not currently offer a monetary bug bounty program, we are happy to provide:

• Hall of Fame: Public acknowledgement of your contribution (with your consent).
• Swag: StockTrendz AI™ exclusive merchandise for critical findings.
• Free Subscription: Up to 1 year of our Pro/Elite plan for significant reports.

6. Security Best Practices for Users

To keep your account secure, we recommend:

• Using a strong, unique password for your StockTrendz account.
• Never sharing your JWT tokens or API keys with third parties.
• Regularly reviewing your connected broker sessions.