Security
How we protect your data — and how you can help us find weaknesses.
Baseline hardening
- TLS 1.3, HSTS, secure cookies
- bcrypt (cost 12) password hashing, JWT with short TTL
- Rate-limiting + brute-force protection on all auth endpoints
- Idempotency keys on financial endpoints
- Multi-doc MongoDB transactions on state changes
- Structured audit log per escrow event
- Stripe webhook signature verification (HMAC)
Responsible disclosure
Found a vulnerability? Please email us before public disclosure. We commit to acknowledging within 48h and patching critical issues within 7 days.
Bug bounty (coming Q3 2026)
A formal bug bounty program on Immunefi is planned for Q3 2026 alongside external audit (Trail of Bits / Zellic). Until then, disclosure rewards are handled ad-hoc.
PGP key on request. Do not include exploitation details in your first email — we’ll confirm a secure channel first.