Launch app
Security

Responsible disclosure, done right.

If you find a vulnerability on NoKYCSwap, tell us. Ninety-day coordinated disclosure, no legal action against good-faith research, public credit on request. This page spells out the exact terms.

Report
[email protected] security.txt
ACK: < 48h · Fix SLA: 14 – 90d · PGP: on request
Disclosure timeline

From report to public credit

1
Day 0

Report

Email [email protected] with a short write-up and a proof-of-concept. PGP key available on request. We acknowledge within 48 hours.

2
Day 1 – 90

Triage & fix

We reproduce, score, and deploy a fix. For a severity above medium, we aim to ship the fix within 14 days; for low severity, within 90. You get a status update at minimum every 14 days.

3
Day 90+

Public disclosure

After the fix ships and users have had time to pick it up, we publish a short note and credit you by name or handle — unless you prefer otherwise. Coordinated disclosure only. No surprise embargoes.

Scope

What we want you to test

In scope

Fair game

  • The nokycswap.io web frontend and any subdomain we operate (api., etc.).
  • Server-side code paths reachable from the production surface.
  • Client-side issues with demonstrable impact (XSS, CSRF bypass, DOM clobbering that leaks state).
  • Cryptographic weaknesses in our signing / CSRF / session handling.
  • Mis-configurations visible over HTTP(S): CSP bypass, HSTS/preload gaps, CORS permissiveness, header-injection chains.
  • Logic flaws that let a user read or tamper with another user's order state.
Out of scope

Not eligible & will be closed

  • Denial-of-service, resource exhaustion, rate-limit bypass without a secondary impact.
  • Tab-nabbing, clickjacking without security impact, missing security headers on static assets.
  • Issues that require an attacker in the user's browser (malicious extensions, local malware).
  • Spoofing From headers in emails we do not control.
  • 3rd-party assets (Cloudflare, fonts.bunny.net, ff.io) — report upstream.
  • Self-XSS, UI redressing that a reasonable user would not fall for.
  • Best-practice suggestions without demonstrable impact.
Safe harbour

Our commitments to researchers

No legal action

Against good-faith research that stays within scope, avoids destructive testing, and respects user privacy. We will not contact your employer, your hosting provider, or law enforcement about your report.

No automated bans

Active testing (authorised scanners, manual probing) will not trigger account lock-out — we have no accounts. IP-level rate limits apply; let us know and we'll whitelist your source.

Credit on request

We publish a short acknowledgment in release notes and on this page after the fix ships. Want to stay pseudonymous or anonymous? Say so in the report.

Bounty honest-talk

We do not yet operate a paid bounty programme. We thank substantive reports with merch, testnet credits, and honest public credit. When we have the runway, a paid programme will be next.

Hall of fame

Researchers who made this site safer

We credit every substantive report here after the fix ships. The list is currently empty — not because no one has looked, but because we have only just published this page. If you would like to be the first, write to [email protected].

Found something? Tell us first.

We answer every report. Private by default, public on your timetable.

Email the team Read transparency