Security, in the open.
We're a trust bureau — so we hold ourselves to the standard we score others against. Most platforms keep their security private; we publish ours, because for a trust product, being transparently secure is the proof.
Verify us yourself
Trust is earned, not asserted. You can independently check our claims:
- Our issuer public key is published at
/.well-known/did.json— re-verify any Trustifer signature against it. - Our machine-readable security policy is at
/.well-known/security.txt(RFC 9116). - Our scoring is public and auditable: methodology · every score can be challenged via disputes.
- On-chain proofs (EAS attestations, soulbound tokens) are independently checkable on Base.
🐶 We run Trustifer on Trustifer
We dogfood our own product: our issuer and signer wallets are monitored by our own Trust Firewall and incident system. If we wouldn't trust it, we don't ship it.
Responsible disclosure
Found a vulnerability? We want to hear from you, and we'll credit you publicly.
- How: report it through this page (a dedicated
security@trustifer.comaddress is being set up). Include steps to reproduce and impact. - Safe harbor: good-faith research that avoids privacy violations, data destruction, and service disruption will not be pursued legally.
- Scope: please don't run automated scanners against production, exfiltrate data, or test denial-of-service. Use the open Explorer for read-only testing.
- Recognition: valid reports earn a place in our Security Hall of Fame (and a bounty once the program launches).
Audit status
An internal security review (key management, on-chain write authorization, API rate-limiting, SSRF) was completed June 2026, with findings remediated. A third-party external audit is planned before public launch — its report will be linked here when complete.
Last updated June 2026 · This page is intentionally public. Developers · Methodology