Security Practices

TLS 1.3 everywhere

All traffic between your browser and our servers is encrypted with TLS 1.3. We force HTTPS via HSTS with a 1-year max-age and the includeSubDomains flag.

Password hashing

Passwords are hashed with bcrypt (cost factor 12). We never store plaintext passwords and we cannot recover yours — only reset it.

Session security

Session tokens live in httpOnly + Secure + SameSite=Lax cookies. They cannot be read by JavaScript and they expire on a sliding window of 7 days.

CSRF protection

All state-changing endpoints require a CSRF token verified server-side. Cross-origin requests are rejected at the edge.

2FA available

TOTP-based two-factor authentication is supported. Enable it in your Profile page using any authenticator app (Google Authenticator, Authy, 1Password, etc.).

Brute-force protection

Failed login attempts are throttled per-IP and per-account. Suspicious patterns trigger a temporary lockout and an email to the account owner.

Encryption in transit and at rest

All traffic uses AWS Amplify HTTPS (TLS 1.3). Data at rest lives in Supabase Postgres with provider-managed AES-256 encryption and encrypted automated backups.

Audit logging

Privileged actions (password change, 2FA setup, API key creation, admin operations) are logged to an append-only audit trail in Supabase (admin_audit table). You can export your own audit trail from your Profile page.

Sentry monitoring

Server and client errors are reported to Sentry with PII automatically scrubbed. We get paged if error rates spike.

Dependency hygiene

Dependencies are scanned for known vulnerabilities on every commit. Critical CVEs are patched within 24 hours of disclosure.

Secrets management

API keys, database credentials, and signing secrets are stored in AWS Secrets Manager — never in source code, never in environment files committed to git.

Read-only data access

We never ask for your exchange API key with withdrawal permission. Any optional integration uses read-only or trade-only scopes — never withdraw.

Vulnerability Disclosure

What's in scope: cryptopulse24.com and any *.cryptopulse24.com subdomain. Includes API endpoints, web app, and supporting infrastructure under our control.
What's out of scope: Third-party services we link to (exchanges, brokers), social engineering of our staff, denial-of-service attacks, physical attacks, and reports already known/public.
Safe-harbour: If you act in good faith, follow this policy, and don't access user data beyond proof-of-concept, we will not pursue legal action and we will publicly thank you (if you wish).
Reporting: Email [email protected] with a clear write-up: steps to reproduce, impact, and any relevant logs/screenshots. Encrypt with our PGP key on request.
Response time: We acknowledge within 48 hours and aim to resolve critical issues within 7 days. We'll keep you updated throughout.
Reward: We don't run a paid bug-bounty programme yet, but we offer Pro-tier credits, public credit on this page (with permission), and a hand-written thank-you.

What We'll Never Ask You

• Your seed phrase, mnemonic, or private key. We don't custody crypto and we never need this.
• An exchange API key with withdrawal permission. Read-only or trade-only is the maximum we'd ever request.
• Your password by email or DM. Resets always go through the link sent to your verified email.
• Verification codes (2FA, email OTP) by phone or chat. Anyone asking for these is impersonating us.

Contact

Security reports: [email protected]
General contact: [email protected]

Security Practices

TLS 1.3 everywhere

All traffic between your browser and our servers is encrypted with TLS 1.3. We force HTTPS via HSTS with a 1-year max-age and the includeSubDomains flag.

Password hashing

Passwords are hashed with bcrypt (cost factor 12). We never store plaintext passwords and we cannot recover yours — only reset it.

Session security

Session tokens live in httpOnly + Secure + SameSite=Lax cookies. They cannot be read by JavaScript and they expire on a sliding window of 7 days.

CSRF protection

All state-changing endpoints require a CSRF token verified server-side. Cross-origin requests are rejected at the edge.

2FA available

TOTP-based two-factor authentication is supported. Enable it in your Profile page using any authenticator app (Google Authenticator, Authy, 1Password, etc.).

Brute-force protection

Failed login attempts are throttled per-IP and per-account. Suspicious patterns trigger a temporary lockout and an email to the account owner.

Encryption in transit and at rest

All traffic uses AWS Amplify HTTPS (TLS 1.3). Data at rest lives in Supabase Postgres with provider-managed AES-256 encryption and encrypted automated backups.

Audit logging

Sentry monitoring

Server and client errors are reported to Sentry with PII automatically scrubbed. We get paged if error rates spike.

Dependency hygiene

Dependencies are scanned for known vulnerabilities on every commit. Critical CVEs are patched within 24 hours of disclosure.

Secrets management

API keys, database credentials, and signing secrets are stored in AWS Secrets Manager — never in source code, never in environment files committed to git.

Read-only data access

We never ask for your exchange API key with withdrawal permission. Any optional integration uses read-only or trade-only scopes — never withdraw.

Vulnerability Disclosure

What's in scope

cryptopulse24.com and any *.cryptopulse24.com subdomain. Includes API endpoints, web app, and supporting infrastructure under our control.

What's out of scope

Third-party services we link to (exchanges, brokers), social engineering of our staff, denial-of-service attacks, physical attacks, and reports already known/public.

Safe-harbour

If you act in good faith, follow this policy, and don't access user data beyond proof-of-concept, we will not pursue legal action and we will publicly thank you (if you wish).

Reporting

Email [email protected] with a clear write-up: steps to reproduce, impact, and any relevant logs/screenshots. Encrypt with our PGP key on request.

Response time

We acknowledge within 48 hours and aim to resolve critical issues within 7 days. We'll keep you updated throughout.

Reward

We don't run a paid bug-bounty programme yet, but we offer Pro-tier credits, public credit on this page (with permission), and a hand-written thank-you.

What We'll Never Ask You

• Your seed phrase, mnemonic, or private key. We don't custody crypto and we never need this.
• An exchange API key with withdrawal permission. Read-only or trade-only is the maximum we'd ever request.
• Your password by email or DM. Resets always go through the link sent to your verified email.
• Verification codes (2FA, email OTP) by phone or chat. Anyone asking for these is impersonating us.