Responsible Disclosure Policy

Security is the core of what we build, and we welcome reports from researchers who help us keep it that way. This policy explains how to report a vulnerability in the Coinhost website or the Coinhost Wallet, what is in scope, and what you can expect from us in return.

1How to report

Email security@coinhost.com with enough detail for us to reproduce the issue: the affected component, steps to reproduce, impact, and any proof-of-concept. Please encrypt sensitive reports with our PGP key, published at coinhost.com/security.asc. Do not disclose the issue publicly until we have resolved it and coordinated a disclosure timeline with you.

2Our commitment (safe harbor)

If you make a good-faith effort to comply with this policy during your research, we will consider your testing authorized, we will not pursue or support legal action against you, and we will work with you to understand and resolve the issue quickly. We will acknowledge your report, keep you updated, and credit you if you wish once a fix has shipped.

3Guidelines

• Act in good faith and avoid privacy violations, data destruction, and service degradation.
• Only test against your own accounts, vaults, and devices — never against other users' funds or data.
• Use test networks (testnet) wherever possible. Do not move, or attempt to move, funds that are not yours.
• Give us a reasonable time to remediate before any public disclosure, and coordinate timing with us.
• Do not use social engineering, physical attacks against our staff or facilities, or denial-of-service techniques.

4In scope

• The Coinhost website (coinhost.com) and its API endpoints.
• The Coinhost Wallet mobile application and signing flow.
• Issues affecting the integrity of the 2-of-3 model, the recovery process, or the confidentiality of user data.

5Out of scope

• Reports from automated scanners without a demonstrated, exploitable impact.
• Denial-of-service, volumetric, or rate-limiting issues.
• Vulnerabilities in third-party services we rely on (report those to the relevant vendor); social engineering and physical attacks.
• Best-practice suggestions without a concrete security impact (for example, missing headers with no demonstrated exploit).

6Rewards

A coordinated disclosure programme with published scope and bounty tiers will launch alongside mainnet. Until then, we recognize valid reports with public credit (where you wish) and, at our discretion, with rewards.

7Contact

Security reports: security@coinhost.com · PGP key: coinhost.com/security.asc