◆ SECURITY POLICY

Vorepo security

How we secure the platform and how to report a vulnerability responsibly.

Reporting a vulnerability

If you believe you've found a security issue, report it privately before public disclosure.

Response SLA: first reply within 72 hours.

RFC 9116 / security.txt: /.well-known/security.txt

Please include: a clear description, reproduction steps, affected URL or endpoint, and your assessment of impact. Encrypted reports welcome — request our PGP key in the first message.

What we ask

Do not test against other users' accounts or data.
Do not run automated scanners that produce excessive load. We rate-limit aggressively.
Do not exfiltrate data beyond the minimum needed to demonstrate the issue.
Give us reasonable time to fix before public disclosure (we aim for under 90 days).

What you get

Acknowledgment within 72 hours.
Status updates as we triage and fix.
Public credit (with your permission) in the acknowledgments section below.
For high-severity findings we will discuss a bounty case-by-case (we do not run a fixed-price program yet).

Scope

In scope

vorepo.com and subdomains we operate (dev.vorepo.com, api.vorepo.com).
Public APIs documented at /docs.html.
Authentication, session management, withdrawal flow, deposit detection, reserve accounting.

Out of scope

Third-party services we integrate with (Privy, Coinbase Onramp, Cloudflare). Report to the vendor.
Social-engineering attacks against staff or users.
Denial-of-service / resource-exhaustion testing.
Reports relying solely on missing security headers without a working exploit chain.
Findings that require physical access to a user's device.

Security controls in production

Authentication. Email + bcrypt-hashed password (cost factor 12). Optional TOTP 2FA. JWT bearer tokens for API; not stored in cookies.
Withdrawals. Every withdrawal requires a fresh 6-digit email code (30-min TTL, 5-attempt cap). Balance debited at request, auto-refunded if the code expires.
Hot wallet. Solana hot wallet signs USDC withdrawals; private key file mode 0400, owned by service user, never logged or committed.
Network. TLS 1.2+ enforced. HSTS with preload. Cloudflare in front. Server-side rate limiting on auth and admin paths.
Headers. Strict CSP with allowlisted origins, X-Frame-Options: SAMEORIGIN, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy stripping camera/mic/geolocation.
API surface. Auto-generated OpenAPI schema is not publicly served. Admin endpoints require JWT + admin allowlist; admin landing page is on an obscured path.
Logging. journald; passwords, JWTs, and full deposit/withdrawal addresses are not logged at INFO.

Funds custody

Vorepo currently operates a custodial trading model: USDC you deposit lives on a Vorepo-operated Solana hot wallet while you trade, and your balance is tracked in our database. You retain full withdrawal rights at any time, subject to standard fees and Solana network confirmation time. Each ticker has dedicated USDC reserves that serve as the counterparty for every buy and sell on that ticker — sells are funded from the same reserves that received buys, so the platform itself is not exposed to ticker P/L.

Hot wallet protection. The custody wallet is operated under tight operational discipline (key file chmod 400, dev:dev-owned, gitignored, no logging of secrets). A multisig upgrade (2-of-3 via Squads Protocol) is in active rollout — once live, a single key compromise will not authorize withdrawals above operational thresholds. Routine user withdrawals are auto-processed today.

Custody architecture will evolve as the platform grows. The roadmap moves from the current hot-wallet model toward user-held wallets, and ultimately toward partnership with a regulated custodian. Specific timing depends on platform scale and regulatory milestones; user withdrawal priority remains the highest operational invariant throughout.

A publicly verifiable proof-of-reserves dashboard is live at /reserves.html, letting each user check that platform liabilities are backed by on-chain reserves.

Acknowledgments

Researchers who have responsibly reported security issues will be listed here with their permission.

(none yet — be the first)