Skip to main content

Security

We take the security of our applications seriously.

Rug Munch Media builds open-source software that protects retail crypto investors. The security of that software is fundamental to our mission. We develop in the open because we believe transparent code, reviewed by the community, is more secure than closed-source alternatives.

If you discover a security vulnerability in any Rug Munch Media product or infrastructure, we want to hear from you.


Report a Vulnerability

Email: security@cryptorugmunch.com

PGP Key: Available on request.

Please include:

  • A detailed description of the vulnerability
  • Steps to reproduce the issue
  • Affected product(s) and version(s)
  • Your assessment of severity
  • Any suggested remediation (if known)

We will acknowledge your report within 48 hours and provide a timeline for resolution within 5 business days.


Responsible Disclosure

We ask that you:

  1. Give us reasonable time to investigate and patch before public disclosure
  2. Don't exploit the vulnerability beyond what's necessary to demonstrate it
  3. Don't access user data beyond what's necessary for proof-of-concept
  4. Act in good faith — we're building tools to protect people, not exploit them

We do not pursue legal action against security researchers who follow these guidelines and act in good faith.


Bug Bounty Program

Coming soon. We're building a formal bounty program with rewards scaled to severity. In the meantime, researchers who report valid, previously unknown vulnerabilities will be acknowledged publicly (if desired) on our Git repository and on this page.


Security by Design

Our security philosophy:

PrincipleImplementation
Open sourceEvery line of code is public. Community review finds bugs before attackers do.
Encryption at restAES-256-GCM for sensitive data. Argon2id for key derivation.
Transport securityTLS 1.3 for all services. HSTS enforced.
Minimal data collectionWe don't track users, store PII, or sell data. Less data = less attack surface.
Secrets managementAll credentials in gopass. Nothing in git. Nothing in .env.
Pre-commit guardsGitleaks, semgrep, bandit, and AI hallucination checkers run on every commit.
CI/CD gatesLint, typecheck, test, audit, and security scans before any deploy.
Self-hostableRun every product on your own hardware. Audit the code. Verify the build.

security.txt

Contact: mailto:security@cryptorugmunch.com
Expires: 2027-07-09T00:00:00.000Z
Preferred-Languages: en
Canonical: https://cryptorugmunch.com/.well-known/security.txt
Policy: https://cryptorugmunch.com/security

Automated scanners can also find our security policy at /.well-known/security.txt.


Acknowledgments

We gratefully acknowledge the security researchers who have helped improve our products:

No reports yet. You could be the first.


Responsible AI

Our AI infrastructure (Ollama, OpenRouter, DeepSeek, Gemini, and others) is used for development automation, code review, and security scanning. We do not train models on user data. AI agents operate under strict guardrails (see our AGENTS.md).


Report vulnerabilities: security@cryptorugmunch.com