Security & Responsible Disclosure

ChainMore takes security findings seriously. If you've found a vulnerability, this page tells you how to report it, what's in scope, and the protections we extend to good-faith researchers.

Quick contact: security@chainmore.io. PGP optional; if you need our key, request it via the same address. Machine-readable details in /.well-known/security.txt per RFC 9116.

Reporting a vulnerability

Email security@chainmore.io with:

A clear description of the issue and the affected ChainMore surface (marketing site, merchant dashboard, gateway API, Keycloak realm).
Steps to reproduce, including sample requests / screenshots / videos.
Your assessment of impact (data exposure, privilege escalation, downtime, etc.).
Whether you've shared this finding with anyone else.

Please do not file vulnerabilities as public GitHub issues, social-media posts, or anywhere else they would be seen by an attacker before we can fix them.

Our response commitments

Acknowledgement within 3 business days of your report being received.
Triage outcome within 10 business days: confirmed, duplicate, out-of-scope, or false-positive.
Remediation timeline shared once severity is confirmed. We commit to fixing critical issues within 30 days; lower-severity issues on a best-effort schedule.
Recognition in our Hall of Thanks (below) at your option, with the credit-line of your choice. We never publish researcher names without consent.

Safe Harbor

If you make a good-faith effort to comply with this policy during your security research, ChainMore will:

Consider your research authorised under our terms of service.
Not pursue or support legal action against you for accidental, good-faith violations of this policy.
Not bring a claim against you under the Computer Fraud and Abuse Act (US), the Estonian Penal Code §206-§208 (Computer Crimes), or analogous laws in other jurisdictions, for activities consistent with this policy.
Work with you to understand and resolve the issue quickly.

You are expected to comply with all applicable laws and to make every reasonable effort to avoid privacy violations, destruction of data, and interruption or degradation of our services. If a third party initiates legal action against you because of activities that complied with this policy, we will make this authorisation known.

Scope

In scope

chainmore.io and www.chainmore.io (marketing site)
app.chainmore.io (Merchant Dashboard)
api.chainmore.io (Payment Orchestration Gateway API)
auth.chainmore.io (OIDC identity provider)
Any public ChainMore-owned sub-domain of chainmore.io not explicitly listed as out-of-scope

Out of scope

Internal-only systems and separately governed product surfaces unless ChainMore explicitly invites testing for that surface.
Third-party services we use (Netlify, Keycloak upstream issues, please report to those vendors directly).
Clickjacking, missing security-headers, or content-spoofing on pages without sensitive actions or authentication state.
Self-XSS that requires a victim to paste payload into their own console.
Social-engineering attacks against ChainMore staff or merchants.
Physical attacks against ChainMore facilities or staff.
Denial-of-service via volumetric flooding (please don't try this against production).
Findings derived from publicly disclosed vulnerabilities of our dependencies that we are still inside the vendor's recommended patch window for.
Theoretical issues without a demonstrated exploitation path against a ChainMore surface.

Out-of-band activity we ask you to avoid

Do not attempt to access, modify, or destroy data that is not your own.
Do not run automated scans that generate substantial traffic against production endpoints. If you need to test rate-limits, contact us first.
Do not pivot from a ChainMore vulnerability into related systems (banking partners, payment-rail providers, etc.).
Do not exfiltrate data beyond the minimum needed to demonstrate impact. Keep proof-of-concept artefacts local and share them only with us.

Bug bounty

ChainMore is pre-launch and currently does not offer a paid bug bounty. We will recognise contributions in the Hall of Thanks below and will, at our discretion, send swag, a written thank-you, or a reference letter you can use professionally. A formal bounty programme will be evaluated post-launch.

Hall of Thanks

Researchers who have responsibly disclosed valid findings are listed here, with their consent. Listing is empty during the pre-launch period.

(none yet, be the first)

This policy

This policy is published in good faith and applies from the date last-updated. ChainMore may update it; the canonical version always lives at https://chainmore.io/security. Material changes (narrowed scope, removed safe-harbor provisions) are flagged in the change-log below for at least 90 days.

Change log

April 2026: Initial publication.

Last updated: April 2026 · RFC 9116 contact details: /.well-known/security.txt