Quantera takes the security of our platform seriously. As an institutional-grade asset tokenization platform handling financial transactions, we maintain rigorous security standards.
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
- Open a public GitHub issue for security vulnerabilities
- Disclose the vulnerability publicly before it's been addressed
- Exploit the vulnerability beyond what's necessary to demonstrate it
Report vulnerabilities privately through one of these channels:
- Email: security@quantera.finance
- GitHub Security Advisories: Use the "Report a vulnerability" button in the Security tab
Please provide as much information as possible:
1. Type of vulnerability (e.g., XSS, SQL injection, authentication bypass)
2. Location of the affected code (file path, function name)
3. Step-by-step reproduction instructions
4. Proof of concept (if available)
5. Potential impact assessment
6. Suggested remediation (if any)
| Action | Timeline |
|---|---|
| Initial acknowledgment | Within 24 hours |
| Severity assessment | Within 72 hours |
| Status update | Every 7 days |
| Fix deployment (Critical) | Within 7 days |
| Fix deployment (High) | Within 30 days |
| Fix deployment (Medium/Low) | Within 90 days |
- Authentication: Multi-factor authentication support, secure session management
- Authorization: Role-based access control (RBAC), principle of least privilege
- Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
- Input Validation: Strict validation on all user inputs
- Output Encoding: XSS prevention through proper encoding
- Network: WAF protection, DDoS mitigation, network segmentation
- Monitoring: 24/7 security monitoring and alerting
- Access Control: Zero-trust architecture, audit logging
- Secrets Management: Encrypted secrets, no hardcoded credentials
- Audits: Third-party security audits before deployment
- Testing: Comprehensive test coverage including fuzzing
- Upgradability: Secure upgrade patterns with timelocks
- Access Control: Multi-signature requirements for critical operations
- SOC 2 Type II compliance
- GDPR data protection compliance
- Regular penetration testing
- Continuous vulnerability scanning
// DO: Validate all inputs
const validateAmount = (amount: string): boolean => {
const parsed = parseFloat(amount);
return !isNaN(parsed) && parsed > 0 && parsed <= MAX_AMOUNT;
};
// DON'T: Trust user input
const unsafeQuery = `SELECT * FROM users WHERE id = ${userId}`; // SQL Injection!# DO: Use environment variables
const apiKey = process.env.API_KEY;
# DON'T: Hardcode secrets
const apiKey = "sk_live_abc123..."; // Never do this!# Regularly audit dependencies
npm audit
# Keep dependencies updated
npm updateWe offer rewards for responsibly disclosed vulnerabilities:
| Severity | Reward Range |
|---|---|
| Critical | $5,000 - $25,000 |
| High | $1,000 - $5,000 |
| Medium | $250 - $1,000 |
| Low | $50 - $250 |
- First reporter of a valid vulnerability
- Followed responsible disclosure guidelines
- Did not exploit the vulnerability
- Not a current or recent employee/contractor
In Scope:
- quantera.finance web application
- Smart contracts deployed on mainnet
- API endpoints
- Authentication/authorization systems
Out of Scope:
- Third-party services
- Social engineering attacks
- Physical security
- Denial of service attacks
- Issues already known or reported
- Security Team: security@quantera.finance
- PGP Key: [Available on request]
- Response Hours: 24/7 for critical issues
We thank the following security researchers for their responsible disclosures:
This section will be updated as we receive and resolve reports.
Last updated: December 2025