Security & bug bounty

We treat security as a first-class product surface. This page documents how TMIYC is architected to resist compromise, what is in scope for external testing, and how to report findings so they reach a human within hours.

Our security model

The platform is split across isolation boundaries. Trading signer keys live on a dedicated hardened VM with no inbound internet exposure; the public API talks to it over a mutually-authenticated internal channel. Every privileged action is written to an append-only audit log whose entries are chained by SHA-256 hashes — any tampering invalidates the chain from the point of modification. Database backups are encrypted with AES-256-GCM using a key held only in a sealed vault; staff access to production requires hardware-backed MFA (WebAuthn) and is recorded. A one-command kill-switch disables all trading flows and rotates session tokens in under 60 seconds. Public traffic is fronted by Cloudflare WAF with rate-limits and bot management; TLS is pinned via HSTS with preload; all first-party responses carry strict CSP, X-Frame-Options and Referrer-Policy headers.

Bug bounty — in scope

Any host under tmiyc.trade and its subdomains (api, app, forum, docs, status); the official Android APK as distributed from /download; the public JSON API as documented at api.tmiyc.trade. Authentication, session handling, payment flows, privilege escalation and secret leakage are explicitly high-interest areas.

Out of scope

Social engineering against staff or customers, physical attacks, any form of denial-of-service that does not demonstrate a specific account or data-integrity compromise, reports generated purely from automated scanners without a working proof of concept, vulnerabilities in third-party services we do not control (Stripe, Cloudflare, Telegram), self-XSS, missing best-practice headers with no demonstrable impact, and clickjacking on pages without sensitive actions.

Rewards

Payouts are made in USD or USDT within 14 days of triage. The band reflects real business impact — we will explain the rating openly.

• Critical — $1,000 to $5,000. Remote code execution, signer compromise, mass account takeover, withdrawal of funds (even on testnet routes), or full PII dump.
• High — $500 to $1,000. Authenticated IDOR exposing other users' data, stored XSS on authed surfaces, authentication bypass, significant privilege escalation.
• Medium — $100 to $500. CSRF on state-changing endpoints, reflected XSS, limited data disclosure, meaningful logic flaws.
• Low — $50 to $100. Open redirects with demonstrable phishing value, minor information leaks, rate-limit bypasses on non-critical endpoints.

Disclosure policy

We follow coordinated disclosure with a 90-day maximum window from first valid report. During that window we commit to: acknowledging receipt within 24 hours, a full triage within 72 hours, and a fix or written mitigation plan within 30 days for critical and high severity. If the issue is fixed before day 90 we publish a post-mortem together with the reporter's preferred credit. Please send reports to security@tmiyc.trade — encrypt to the PGP key below if the finding is sensitive.

PGP key

Fingerprint: D09C BE8F C19D 3559 EF47 73E6 3441 F359 4FDE 459D. RSA-4096, no expiration. Download the armoured public key and import with `gpg --import security.asc`.

Download security.asc