Responsible Disclosure Policy
Version 1.0 · Last updated: 22 February 2026
1. Introduction
Nautech Systems Pty Ltd (“Nautech Systems”, “we”, “us”, or “our”) is committed to the security of NautilusTrader and the broader ecosystem that depends on it. We welcome reports from security researchers, users, and the community who identify potential vulnerabilities in our software, infrastructure, or services.
This policy describes how to report security issues responsibly, what to expect from us in response, and the scope of systems covered.
This policy describes how to report security issues responsibly, what to expect from us in response, and the scope of systems covered.
2. Scope
This policy applies to:
- The NautilusTrader open-source software and its official repositories.
- NautilusTrader Pro proprietary components and services.
- The NautilusTrader Cloud Platform.
- Websites operated by Nautech Systems, including nautilustrader.io.
3. How to Report
Preferred method: GitHub Security Advisories
Submit a private report via GitHub Security Advisories. This allows private coordination before public disclosure and ensures you receive credit in the advisory and release notes.
Alternative: Email
Send reports to info@nautechsystems.io. For sensitive reports, you may request our PGP key for encrypted communication.
When reporting, please include:
Submit a private report via GitHub Security Advisories. This allows private coordination before public disclosure and ensures you receive credit in the advisory and release notes.
Alternative: Email
Send reports to info@nautechsystems.io. For sensitive reports, you may request our PGP key for encrypted communication.
When reporting, please include:
- A clear description of the vulnerability and its potential impact.
- Steps to reproduce the issue or a proof of concept.
- The affected version(s) and component(s).
- Any suggested remediation, if applicable.
4. Response Timeline
We commit to the following response targets:
- Initial acknowledgement: Within 48 hours of report submission.
- Assessment update: Within 7 days with an initial severity assessment.
- Critical vulnerabilities: Patched within 30 days.
- Other issues: Addressed within 90 days.
- Coordinated disclosure: We will work with you to agree on a public disclosure date.
5. What We Ask of You
To ensure vulnerabilities are handled responsibly and without harm to users:
- Do not publicly disclose the vulnerability before a fix is available and a disclosure date has been mutually agreed.
- Do not exploit the vulnerability beyond what is necessary to demonstrate the issue.
- Do not access, modify, or delete data belonging to other users.
- Do not degrade, disrupt, or deny service to NautilusTrader systems or users.
- Act in good faith and comply with all applicable laws.
6. Recognition
We value the contributions of security researchers. Unless you prefer to remain anonymous, we will acknowledge your contribution in the relevant security advisory and release notes.
At this time, Nautech Systems does not operate a formal bug bounty program. We appreciate responsible reports and will do our best to recognize contributions appropriately.
At this time, Nautech Systems does not operate a formal bug bounty program. We appreciate responsible reports and will do our best to recognize contributions appropriately.
7. Supported Versions
We only provide security support for the latest released version of NautilusTrader. If you are using an older version, the vulnerability may already be addressed in a subsequent release. We recommend always running the latest version.
8. Safe Harbor
Nautech Systems will not pursue legal action against individuals who report vulnerabilities in accordance with this policy, provided they act in good faith and comply with the guidelines set out above. This safe harbor does not extend to activities that violate applicable law or cause harm to users, data, or systems.
9. Changes to This Policy
This policy may be updated from time to time. The current version will always be available at this URL. Continued submission of reports after any update constitutes acceptance of the revised policy.
10. Contact
Security-related inquiries may be directed to info@nautechsystems.io.
NautilusTrader™ is a product of Nautech Systems Pty Ltd (ABN 88 609 589 237). Nautech Systems provides algorithmic trading software only. We do not operate as a broker, dealer, or exchange, nor offer financial advisory services. Users are solely responsible for compliance with applicable laws and regulations. Subject to non-excludable consumer guarantees, we make no warranties and accept no liability for trading losses or regulatory violations arising from use of the software. Read full disclaimer.