Skip to main content

Security

Last updated: February 28, 2026

1. Our Commitment

Security is foundational to CrowdProof. We handle reputation data, cryptographic proofs, and financial interactions across multiple blockchains. We take a defense-in-depth approach to protecting our systems and your data.

2. Smart Contract Security

  • All contracts are written in Solidity 0.8.24 with overflow protection built-in
  • UUPS proxy pattern for upgradeable contracts with strict access controls
  • OpenZeppelin library usage for battle-tested implementations (ERC20, AccessControl, Pausable)
  • Comprehensive Foundry test suite with 95%+ code coverage
  • External security audit planned before mainnet deployment
  • Multi-sig ownership (Gnosis Safe) for all admin functions post-launch

3. Infrastructure Security

  • All traffic encrypted with TLS 1.3
  • HSTS enabled with 1-year max-age and includeSubDomains
  • Azure App Service with managed runtime updates
  • SQL Server with encrypted connections and parameterized queries
  • Secrets managed via Azure Key Vault (API keys, RPC URLs, database credentials)
  • Content Security Policy headers on all pages

4. API Security

  • JWT authentication via Sign-In with Ethereum (SIWE)
  • API key authentication with per-tier rate limiting
  • Input validation on all endpoints (wallet address format, query parameters)
  • CORS restricted to known origins
  • Request metering and anomaly detection

5. Zero-Knowledge Proof Security

Our ZK circuits use the Groth16 proving system with a trusted setup ceremony. Verification keys are published on-chain and can be independently verified. Proof generation uses private inputs that are never transmitted to our servers when using client-side proof generation (WASM SDK).

6. Responsible Disclosure

If you discover a security vulnerability in CrowdProof, we ask that you disclose it responsibly:

  • Email security@crowdproof.id with a detailed description of the vulnerability
  • Include steps to reproduce the issue
  • Allow us reasonable time (90 days) to address the issue before public disclosure
  • Do not exploit the vulnerability beyond what is necessary to demonstrate it

7. Bug Bounty Program

CrowdProof rewards security researchers who responsibly disclose vulnerabilities. Bounty amounts are based on severity and impact.

SeverityBountyExamples
Critical$5,000 – $25,000Smart contract fund theft, private key exposure, ZK proof forgery
High$2,000 – $5,000Score manipulation, authentication bypass, API key leakage
Medium$500 – $2,000Rate limit bypass, IDOR, information disclosure
Low$100 – $500XSS, CSRF, missing security headers

In-Scope Assets

  • Smart contracts (DIDRegistry, ReputationOracle, CredentialVerifier, PaymentEscrow, GovernanceToken)
  • Backend API — crowdproof-api.azurewebsites.net
  • Portal — portal.crowdproof.id
  • Website — crowdproof.id
  • SDKs — TypeScript, Python, Go, C#, Java, Swift
  • ZK circuits — ReputationProof, AgeProof, KYCProof

Out of Scope

  • Social engineering or phishing attacks
  • Denial of service (DoS/DDoS) attacks
  • Vulnerabilities in third-party services (Stripe, Persona, Azure)
  • Issues requiring physical access to hardware
  • Known issues already listed in our GitHub issue tracker

8. Acknowledgments

We thank the following researchers for their responsible disclosure of security vulnerabilities. This Hall of Fame recognizes contributions that helped make CrowdProof more secure.

No submissions yet. Be the first to report a vulnerability and earn a spot here.

Report a Vulnerability

Found something? We appreciate your help keeping CrowdProof secure. You can also find our machine-readable disclosure policy at /.well-known/security.txt.

Contact Security Team