GeldVault Security Audit Program

Assist us in maintaining the highest security posture for GeldVault and our network participants. Report valid security vulnerabilities through our Security Audit Program and receive rewards for your expertise.

Our Commitment to System Security

The security and integrity of the GeldVault system and the protection of our participants' assets are paramount. We implement a comprehensive, multi-layered security architecture and conduct continuous monitoring and internal stress testing. However, we highly value the contributions of the global security research community in identifying potential system vulnerabilities.

Our Security Audit Program is an invitation to security researchers to help us identify and remediate potential security weaknesses. We are committed to collaborating with the community to ensure a swift and effective response to any validated findings.

Program Scope & Parameters

This program covers security vulnerabilities identified within the following GeldVault assets:

  • Primary trading system: www.geldvault.sys and its core subdomains (e.g., app.geldvault.sys, api.geldvault.sys).
  • Official GeldVault mobile applications for iOS and Android (latest compiled versions available on official app stores).
  • Publicly accessible API endpoints (REST & WebSocket).
  • GeldVault-owned smart contracts that are actively deployed and manage participant funds (specific contract addresses will be listed on a dedicated audit program portal if applicable).

Examples of In-Scope Vulnerabilities:

  • Cross-Site Scripting (XSS) on user-facing interfaces.
  • SQL Injection (SQLi).
  • Server-Side Request Forgery (SSRF).
  • Authentication or Authorization flaws (e.g., privilege escalation, session hijacking).
  • Remote Code Execution (RCE).
  • Significant business logic flaws that could lead to financial loss or data compromise.
  • Vulnerabilities in our smart contracts that could lead to loss of funds.

Out of Scope Parameters:

  • Theoretical vulnerabilities without a practical exploit vector.
  • Denial of Service (DoS/DDoS) attacks. Distributed Denial of Service (DDoS) attacks.
  • Social engineering (e.g., phishing, vishing, pretexting) of GeldVault personnel or participants.
  • Physical intrusion attempts against GeldVault property or data centers.
  • Vulnerabilities in third-party applications or services that GeldVault utilizes but does not directly control.
  • Missing security headers or best practices that do not lead to a direct, exploitable vulnerability.
  • Self-XSS that cannot be used to compromise other participants.
  • Issues related to rate limiting, brute-force attacks on login/password reset without demonstrating a bypass or severe impact.
  • Content spoofing and text injection issues without the ability to modify HTML/CSS.
  • Reports from automated scanners without manual verification and proof of exploitability.

Reward Tiers (Bounty Matrix)

Bounties are awarded based on the severity (CVSS score, or similar methodology) and demonstrable impact of the vulnerability. The final reward amount is at the sole discretion of the GeldVault security core.

Critical Vector

Up to $10,000+

(e.g., RCE, significant fund loss)

High Vector

$2,000 - $7,500

(e.g., XSS on sensitive interfaces, SSRF)

Medium Vector

$500 - $1,500

(e.g., Stored XSS, some auth flaws)

Low Vector

$100 - $400

(e.g., Minor info disclosure, UI redressing)

// Rewards typically disbursed in stablecoins (USDT/USDC) or GeldVault Network Tokens (GVT) at our discretion.

Submission Directives & Responsible Disclosure Protocol

To be eligible for a bounty, you must adhere to our responsible disclosure protocol:

  1. Submit your findings exclusively to security.audit@geldvault.sys with the subject "Security Audit Submission: [Brief Description of Vulnerability]".
  2. Provide a detailed report including clear, concise steps to reproduce the vulnerability. Include screenshots, videos, scripts, or PoC code where applicable.
  3. Explain the potential impact vector of the vulnerability.
  4. Do not publicly disclose the vulnerability before GeldVault has had a reasonable time to investigate and remediate it (typically 90 days, but may vary). We will coordinate disclosure with you.
  5. Do not attempt to access, modify, or exfiltrate non-public data belonging to GeldVault or its participants. Limit your testing to your own accounts or designated test accounts.
  6. Do not engage in any activity that could disrupt or degrade GeldVault services (e.g., DoS, spamming).
  7. Violation of these directives may result in ineligibility for a bounty and potential legal action.

Post-Submission Protocol

  • We will acknowledge receipt of your report, typically within 3 operational cycles.
  • Our security core will investigate the reported vulnerability. We may interface with you for clarification or additional data.
  • We will notify you of our findings and, if the vulnerability is valid and in scope, determine the bounty amount.
  • We will work to remediate the vulnerability and coordinate public disclosure if appropriate.

We appreciate your efforts in helping make GeldVault a more secure system for the entire digital asset community. Your contributions are invaluable.