This repo is research code: notebooks, prose, and data adapters. The realistic threat surface is small — but if you find something worth reporting, please report it privately rather than opening a public issue.
Email security@xylem-group.org with:
- A description of the issue and where in the repo it lives.
- A minimal reproduction (notebook cell, script invocation, or commit SHA).
- Whether you've shared it elsewhere (private disclosure timeline matters).
We'll acknowledge within 72 hours and aim to fix or comment on a path forward within two weeks. We don't run a paid bug bounty for this repo.
- Issues in third-party services we link to (Binance, Hyperliquid, etc.) — report those upstream.
- Notebook outputs that include sensitive-looking but public data (venue feeds, on-chain transactions). Open a regular issue if it's worth redacting; not a security report.
- Methodology disagreements. Open a regular issue or PR.
paros is pre-release; only trunk is supported. There are no tagged
releases yet.