◆ SECURITY POLICY

Vorepo security

How we secure the platform and how to report a vulnerability responsibly.

Reporting a vulnerability

If you believe you've found a security issue, report it privately before public disclosure.

Response SLA: first reply within 72 hours.

RFC 9116 / security.txt: /.well-known/security.txt

Please include: a clear description, reproduction steps, affected URL or endpoint, and your assessment of impact. Encrypted reports welcome — request our PGP key in the first message.

What we ask

Do not test against other users' accounts or data.
Do not run automated scanners that produce excessive load. We rate-limit aggressively.
Do not exfiltrate data beyond the minimum needed to demonstrate the issue.
Give us reasonable time to fix before public disclosure (we aim for under 90 days).

What you get

Acknowledgment within 72 hours.
Status updates as we triage and fix.
Public credit (with your permission) in the acknowledgments section below.
For high-severity findings we will discuss a bounty case-by-case (we do not run a fixed-price program yet).

Scope

In scope

vorepo.com and subdomains we operate (dev.vorepo.com, api.vorepo.com).
Public APIs documented at /docs.html.
Authentication, session management, withdrawal flow, deposit detection, reserve accounting.

Out of scope

Third-party services we integrate with (Privy, Coinbase Onramp, Cloudflare). Report to the vendor.
Social-engineering attacks against staff or users.
Denial-of-service / resource-exhaustion testing.
Reports relying solely on missing security headers without a working exploit chain.
Findings that require physical access to a user's device.

Security controls in production

Authentication. Email + bcrypt-hashed password (cost factor 12). Optional TOTP 2FA. JWT bearer tokens for API; not stored in cookies.
Withdrawals. Every withdrawal requires a fresh 6-digit email code (30-min TTL, 5-attempt cap). Balance debited at request, auto-refunded if the code expires.
Hot wallet. Solana hot wallet signs USDC withdrawals; private key file mode 0400, owned by service user, never logged or committed.
Network. TLS 1.2+ enforced. HSTS with preload. Cloudflare in front. Server-side rate limiting on auth and admin paths.
Headers. Strict CSP with allowlisted origins, X-Frame-Options: SAMEORIGIN, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy stripping camera/mic/geolocation.
API surface. Auto-generated OpenAPI schema is not publicly served. Admin endpoints require JWT + admin allowlist; admin landing page is on an obscured path.
Logging. journald; passwords, JWTs, and full deposit/withdrawal addresses are not logged at INFO.

Funds custody

Vorepo is custodial: USDC you deposit lives on a Vorepo-controlled Solana hot wallet until you withdraw. Each ticker has a separate reserve pool that is the counterparty for every buy and sell on that ticker — sells are funded from the same pool that received buys, so the platform itself is not exposed to ticker P/L.

A publicly verifiable proof-of-reserves dashboard is on the near-term roadmap, letting each user check their balance is included in our snapshotted liabilities.

Acknowledgments

Researchers who have responsibly reported security issues will be listed here with their permission.

(none yet — be the first)