chainproven

Security

Responsible Disclosure

If you discover a security vulnerability in the Chainproven API or website, please report it to [email protected]. We aim to acknowledge reports within 48 hours and resolve critical issues within 7 days.

Please do not publicly disclose vulnerabilities before we have had a chance to address them. We appreciate responsible researchers and will acknowledge your contribution in our security hall of fame.

Scope

  • chainproven.com and subdomains
  • api.chainproven.com — all API endpoints
  • API authentication and key management
  • EAS attestation contract interactions

Out of Scope

  • Social engineering of Chainproven team members
  • Physical security attacks
  • Denial-of-service attacks
  • Third-party services we depend on

Security Practices

Chainproven API keys are stored hashed. EAS attestation signing keys are managed via AWS KMS with hardware security modules — private keys never leave the HSM. All API traffic is encrypted in transit (TLS 1.3+). Regulatory data is read-only from verified primary sources.

Request Security Review