ScopeCred is in CLOSED BETA / pre-launch. Demo mode — no real funds, no production accounts. Public registration coming soon.
Skip to content

Security

How we protect your data — and how you can help us find weaknesses.

Baseline hardening

  • TLS 1.3, HSTS, secure cookies
  • bcrypt (cost 12) password hashing, JWT with short TTL
  • Rate-limiting + brute-force protection on all auth endpoints
  • Idempotency keys on financial endpoints
  • Multi-doc MongoDB transactions on state changes
  • Structured audit log per escrow event
  • Stripe webhook signature verification (HMAC)

Responsible disclosure

Found a vulnerability? Please email us before public disclosure. We commit to acknowledging within 48h and patching critical issues within 7 days.

security@scopecred.com

Bug bounty (coming Q3 2026)

A formal bug bounty program on Immunefi is planned for Q3 2026 alongside external audit (Trail of Bits / Zellic). Until then, disclosure rewards are handled ad-hoc.

PGP key on request. Do not include exploitation details in your first email — we’ll confirm a secure channel first.

Cookies & Privacy

We only use technically necessary cookies (login, language, banner state). No tracking, no analytics, no third-party advertising. Learn more