# 5arz Security Policy **Last updated:** 2026-05-09 **Contact:** security@5arz.com (preferred) · andre@thatislumi.com --- ## Reporting a vulnerability If you've found a security issue, please email **security@5arz.com** with: 1. A clear description of the vulnerability. 2. Reproduction steps or a working proof of concept. 3. The impact (what an attacker could do). 4. Your name / handle for the acknowledgments page (or "anonymous"). We will: - Acknowledge your report within 24 hours. - Triage and confirm within 72 hours. - Patch critical issues within 7 days. - Credit you publicly once the fix ships, unless you ask us not to. We do not take legal action against good-faith security research that follows this policy. We do prosecute attempts to exfiltrate real user data, deploy ransomware, or extort the foundation. --- ## Scope **In scope:** - `5arz.com` and any `*.5arz.com` subdomain. - The Bio-Bridge attestation API (post-launch). - Smart contracts deployed on Base L2 (post-mainnet). - The 5arz mobile and web wallets (post-launch). **Out of scope:** - Third-party providers we integrate with (Persona, Plaid, Method, Stripe). Report to them via their own disclosure programs. - Volumetric DDoS attacks — handled at the Cloudflare edge. - Issues that require physical access to a user's device. - Social-engineering attacks against staff or users. - Reports generated by automated scanners (Burp, Acunetix, etc.) without a working proof-of-concept. --- ## Defense-in-depth summary What we ship by default: - **Edge:** Cloudflare Pages with WAF, Bot Fight Mode, and edge rate limiting on `/verify`. DDoS absorbed at the edge. - **Transport:** TLS 1.3 only. HSTS with `preload`. DNSSEC enabled. CAA records pin the cert authority. - **Browser:** Strict Content Security Policy. No `eval`. No `unsafe-eval`. Frame-ancestors `none` (we can't be iframed). Permissions-Policy denies geolocation, mic, USB, etc. - **PII handling:** SSN, bank login, and card data never touch our servers. They flow from the user's browser directly to Persona, Method, Plaid, and Stripe iframes (all PCI/SOC2 certified). We hold attestation hashes only. - **Wallets:** Biometric authentication on-device (WebAuthn / Face ID / Touch ID). Private keys never leave the user's secure enclave. Account abstraction via ERC-4337 with social recovery. - **Smart contracts:** Two external audits required before mainnet. Bug bounty live before launch ($1M ceiling). Multi-sig for all privileged operations, 2-of-3 minimum, signers verify simulation. - **Operational:** No secrets in git. Vault for production. Two human signers required for any multi-sig action. SOC 2 Type II in progress. Our threat model + full architecture is in `whitepaper.html`. --- ## Bug bounty A formal bounty program will go live alongside testnet (Q3 2026). Until then, qualifying reports are paid case-by-case at the foundation's discretion, with rough bands: | Severity | Pre-launch | Post-mainnet | | --- | --- | --- | | Critical (RCE, key extraction, fund loss) | $5K–$25K | $250K–$1M | | High (privilege escalation, PII leak) | $1K–$5K | $25K–$100K | | Medium (auth bypass, IDOR) | $250–$1K | $5K–$25K | | Low (info disclosure, header issues) | $50–$250 | $500–$2K | --- ## What we expect from you - Don't access, modify, or destroy data that isn't yours. - Don't degrade service for other users. - Don't pivot into other systems, foundations, or partners. - Give us reasonable time to fix before public disclosure. - Report through `security@5arz.com`, not Twitter. --- *Built by humans. Verified by humans. Defended by humans.*