CX
CoinExchange.Cash

Security Policy & Vulnerability Disclosure

Last updated: April 28, 2026

CoinExchange.Cash takes the security of our users' funds and data seriously. This page describes how to report a security vulnerability responsibly, what is in scope, and what you can expect from us in return. The machine-readable companion to this page is published at /.well-known/security.txt per RFC 9116.

1. How to report a vulnerability

If you believe you have found a security vulnerability in CoinExchange.Cash, please email [email protected] with as much detail as you can share. Helpful information includes:

  • A clear description of the issue and the impact you believe it has.
  • Steps to reproduce, including URLs, request bodies, payloads or sample accounts.
  • Any proof-of-concept code, screenshots or video recordings.
  • Your name or handle for credit (optional — you can also remain anonymous).

A PGP key is available on request — mention this in your first email and we will exchange keys before you send sensitive technical details.

Please do not open public GitHub issues, social media posts, or other public disclosures before we have had a chance to fix the issue.

2. Our commitment to you

If you submit a vulnerability report in good faith, we commit to:

  • Acknowledge receipt of your report within 5 business days.
  • Triage and provide an initial assessment of severity within 10 business days of acknowledgement.
  • Keep you informed of our progress at reasonable intervals while we work on a fix.
  • Credit you publicly (with your permission) once the issue is resolved.
  • Not pursue legal action against researchers who follow this policy in good faith. See "Safe harbour" below.

We do not currently run a paid bug-bounty programme. We may offer a discretionary token of appreciation (swag, on-chain payment, public credit) for high-impact reports, but no payment is guaranteed.

3. Scope

The following assets are in scope for vulnerability reports:

  • https://coinexchange.cash — the public web app
  • https://api.coinexchange.cash — the public API
  • https://admin.coinexchange.cash — the admin app, if you find an authentication or authorisation bypass that exposes it from outside
  • Smart-contract source and any deployments explicitly listed in our public security and deployment record. No EVM escrow production address is currently published.
  • Source code at github.com/xrfr8/coinexchange.

The following are out of scope:

  • Third-party services we integrate with (WalletConnect/Reown, MoonPay, Onramper, Ramp, Transak, Mercuryo, AlchemyPay, Simplex, Persona, Cloudflare Turnstile, etc.). Please report those directly to the vendor.
  • Issues that require physical access to a victim's device, or social engineering of CoinExchange.Cash staff or users.
  • Denial-of-service attacks against our infrastructure or third-party blockchain RPC providers.
  • Reports generated solely by automated scanners with no demonstrated impact.
  • Issues already disclosed in our public GitHub issues or pull requests.

4. Issues we are particularly interested in

  • Anything that allows funds to be moved out of escrow without the agreement of the legitimate signers.
  • Authentication or session-management flaws (account takeover, privilege escalation, JWT issues, OAuth/SSO misconfiguration).
  • Server-side request forgery, SQL injection, command injection, deserialisation issues in the API server.
  • Stored or reflected XSS, CSRF on state-changing endpoints, or open redirects on the web app.
  • Smart-contract vulnerabilities (re-entrancy, missing access control, integer issues, unbounded loops, oracle manipulation).
  • Sensitive-data exposure (API keys, environment variables, PII) in responses, logs or source maps.
  • Cryptographic weaknesses in our wallet, escrow, or fairness-proof flows.

5. Rules of engagement

While testing, please:

  • Use only accounts you own, or test accounts you create yourself. Do not interact with other users' trades, loans, escrows, prediction markets or slot sessions.
  • Limit traffic volume so as not to disrupt the service for other users. Stop at the first proof-of-concept request — do not run sustained fuzzing campaigns against production.
  • Do not exfiltrate, modify or destroy data beyond the minimum necessary to demonstrate the issue. If you accidentally access another user's data, stop immediately and tell us.
  • Do not publicly disclose the issue until we have confirmed it is fixed and given you the go-ahead.
  • Comply with all applicable laws and regulations in your jurisdiction.

6. Safe harbour

CoinExchange.Cash will not pursue civil or criminal action against security researchers who, in good faith:

  • Follow this Security Policy in full;
  • Make a genuine effort to avoid privacy violations, service degradation and destruction of data;
  • Report the vulnerability to [email protected] promptly upon discovery;
  • Do not disclose the issue publicly before we have had a reasonable opportunity to fix it.

If a third party (such as a hosting provider or law-enforcement agency) brings an action against you, we will make it clear, in writing if needed, that your activity was authorised under this policy.

This safe harbour does not apply to actions that fall outside this policy — for example, deliberately disrupting other users, extorting the platform, or stealing funds.

7. Contact & updates

Security contact: [email protected].

Machine-readable policy: /.well-known/security.txt (RFC 9116).

We may update this policy from time to time; substantive changes will be reflected in the "Last updated" date at the top of the page and in the Expires field of security.txt.

Security Policy & Vulnerability Disclosure — CoinExchange.Cash | CoinExchange