If you discover a security vulnerability in xproof, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

Instead, please contact the maintainers directly via email or GitHub private vulnerability reporting.

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgment: within 48 hours
• Initial assessment: within 5 business days
• Fix or mitigation: as soon as possible depending on severity

xproof never stores or transmits user files. SHA-256 hashing is performed entirely in the browser using the Web Crypto API. Only the hash (a 64-character hex string) is sent to the server and recorded on-chain.

• Wallet authentication uses MultiversX Native Auth, which requires cryptographic proof (signature) from the user's wallet.
• Sessions are stored server-side in PostgreSQL.
• API keys for agent access use pm_ prefixed bearer tokens, hashed before storage.

• Transactions are signed client-side by the user's wallet (xPortal, Web Wallet, or WalletConnect).
• Optional server-side signing uses a private key stored in environment variables — never committed to the repository.
• All transaction hashes are independently verifiable on the MultiversX Explorer.

• All payments are processed through xMoney in EGLD. xproof never stores payment credentials.
• xMoney webhooks use HMAC SHA-256 signature verification with constant-time comparison.

• Database credentials and API keys are stored as encrypted secrets, never in source code.
• HTTPS is enforced in production.
• Session cookies use httpOnly, sameSite, and secure flags in production.

We monitor and update dependencies regularly to address known vulnerabilities. Security-critical updates (such as qs, jspdf, and framework dependencies) are prioritized.