Security
We take the security of our applications seriously.
Rug Munch Media builds open-source software that protects retail crypto investors. The security of that software is fundamental to our mission. We develop in the open because we believe transparent code, reviewed by the community, is more secure than closed-source alternatives.
If you discover a security vulnerability in any Rug Munch Media product or infrastructure, we want to hear from you.
Report a Vulnerability
Email: security@cryptorugmunch.com
PGP Key: Available on request.
Please include:
- A detailed description of the vulnerability
- Steps to reproduce the issue
- Affected product(s) and version(s)
- Your assessment of severity
- Any suggested remediation (if known)
We will acknowledge your report within 48 hours and provide a timeline for resolution within 5 business days.
Responsible Disclosure
We ask that you:
- Give us reasonable time to investigate and patch before public disclosure
- Don't exploit the vulnerability beyond what's necessary to demonstrate it
- Don't access user data beyond what's necessary for proof-of-concept
- Act in good faith — we're building tools to protect people, not exploit them
We do not pursue legal action against security researchers who follow these guidelines and act in good faith.
Bug Bounty Program
Coming soon. We're building a formal bounty program with rewards scaled to severity. In the meantime, researchers who report valid, previously unknown vulnerabilities will be acknowledged publicly (if desired) on our Git repository and on this page.
Security by Design
Our security philosophy:
| Principle | Implementation |
|---|---|
| Open source | Every line of code is public. Community review finds bugs before attackers do. |
| Encryption at rest | AES-256-GCM for sensitive data. Argon2id for key derivation. |
| Transport security | TLS 1.3 for all services. HSTS enforced. |
| Minimal data collection | We don't track users, store PII, or sell data. Less data = less attack surface. |
| Secrets management | All credentials in gopass. Nothing in git. Nothing in .env. |
| Pre-commit guards | Gitleaks, semgrep, bandit, and AI hallucination checkers run on every commit. |
| CI/CD gates | Lint, typecheck, test, audit, and security scans before any deploy. |
| Self-hostable | Run every product on your own hardware. Audit the code. Verify the build. |
security.txt
Contact: mailto:security@cryptorugmunch.com
Expires: 2027-07-09T00:00:00.000Z
Preferred-Languages: en
Canonical: https://cryptorugmunch.com/.well-known/security.txt
Policy: https://cryptorugmunch.com/security
Automated scanners can also find our security policy at
/.well-known/security.txt.
Acknowledgments
We gratefully acknowledge the security researchers who have helped improve our products:
No reports yet. You could be the first.
Responsible AI
Our AI infrastructure (Ollama, OpenRouter, DeepSeek, Gemini, and others) is used for development automation, code review, and security scanning. We do not train models on user data. AI agents operate under strict guardrails (see our AGENTS.md).
Report vulnerabilities: security@cryptorugmunch.com