At AdEx, security is a core part of our culture. We make sure to build from the bottom up with security in mind; this means constant reviews, tests, audits and penetration testing. The AdEx payment channels are fully non-custodial with no backdoors or admin keys.
We encourage anyone who has discovered a significant bug to report it to us via our Help center.
In order to determine the severity of the reported bug/vulnerability, we use the the OWASP Risk Assessment Framework. It assesses the potential impact a bug could have in relation to the likelihood of that bug being uncovered and exploited.
Depending on the severity of the reported issue, we may be awarding bug bounties payable in ADX tokens.
Out of scope vulnerabilities:
- Findings derived from social engineering (for example: phishing attempts)
- Functional, UI and UX bugs and spelling mistakes
- Network level Denial of Service (DoS/DDoS)
- Vulnerabilities in any of our service providers and their infrastructure (for example: Cloudflare, Zendesk)
- Vulnerabilities without real impact or exploitability.
AdEx accounts are always in your control. We use a smart wallet system similar to so-called "multi-signature wallets". This way, you can access your account through multiple cryptographic keys that you can enable or disable. This allows using multiple blockchain wallets to authenticate, multiple devices, and even traditional email/password authentication.
While password recovery is traditionally impossible for blockchain wallets, we use a classic recovery mechanism. We pair it with a timelock and a smart wallet to ensure that if you forget your password, we can recover your account. Of course, you can disable this functionality and take full control over the account if you're comfortable with managing an Ethereum wallet.
Maintaining the security of all the parties involved in the AdEx Network ecosystem is of highest priority for us.
If you believe you have discovered a security vulnerability, please report it to us in good faith by submitting a ticket through our Help center, by emailing us at [email protected] or by using our security.txt. Each submission will be carefully reviewed, investigated and assessed by our team.
If you identify a verified vulnerability, we commit to:
- Acknowledging your report via email
- Resolving the vulnerability in 120 days or less
- Publicly acknowledging your responsible disclosure (if you wish credit for such disclosure).