Security & Vulnerability Disclosure

1. How We Protect You

Prime Meridian Markets employs institutional-grade security architecture to safeguard your data and assets:

  • Cold Storage: 98% of all digital assets are held in geographically distributed, air-gapped cold wallets requiring multi-signature authorization.
  • Encryption: All data in transit is encrypted using TLS 1.3. Data at rest (including KYC documents) is encrypted using AES-256.
  • Access Control: Mandatory Two-Factor Authentication (2FA) via Authenticator apps, IP whitelisting, and strict withdrawal address whitelisting.
  • Real-time Monitoring: Our matching engine and wallets are monitored 24/7 by AI-driven anomaly detection systems.

2. Responsible Disclosure Policy

We highly value the work of the cybersecurity research community. If you discover a security vulnerability in our platform, we ask that you report it to us immediately and responsibly. We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to investigate and patch the vulnerability.

3. Our Commitments

If you report a vulnerability in accordance with this policy, we commit to:

  • Acknowledge receipt of your report within 48 hours.
  • Investigate the issue promptly and confirm the existence of the vulnerability.
  • Provide an estimated timeline for remediation.
  • Not pursue civil or criminal legal action against you, provided you comply with our disclosure guidelines and do not exploit the vulnerability.

4. Bug Bounty Scope

We offer bug bounties for severe, exploitable vulnerabilities. In-scope assets include our primary web application, matching engine API, and mobile apps. Eligible vulnerabilities include:

  • Remote Code Execution (RCE)
  • SQL Injection (SQLi)
  • Cross-Site Scripting (XSS)
  • Authentication bypass or authorization flaws
  • Cryptographic weaknesses in wallet handling

5. Out of Scope

The following activities and vulnerabilities are strictly out of scope and do not qualify for a bounty:

  • Distributed Denial of Service (DDoS) attacks.
  • Social engineering (phishing, vishing) of our employees or users.
  • Physical attacks against our facilities or data centers.
  • Spamming or flooding our APIs.
  • Vulnerabilities requiring the user to use outdated or unsupported browsers.

6. Contact Method

Please submit all security reports via encrypted email to: security@primemeridianmarkets.com. Include detailed steps to reproduce the issue, proof of concept code, and the potential impact.