Skip to content

Security: SantaFiXYZ/santafi-verified

Security

SECURITY.md

Security Policy

πŸ”’ Our Commitment

At SantaFi, we take security seriously. This document outlines our security practices and how to report vulnerabilities.

πŸ›‘οΈ What We Protect

Your Wallet

  • βœ… We NEVER store private keys
  • βœ… We NEVER request seed phrases
  • βœ… We NEVER access your wallet without explicit permission
  • βœ… All transactions require YOUR approval in your wallet

Your Data

  • βœ… We only store public wallet addresses
  • βœ… We track usage count for credit system
  • βœ… We do NOT store personal information
  • βœ… We do NOT sell or share your data

Your Funds

  • βœ… All SOL transfers go to verified treasury wallet
  • βœ… All transactions are on-chain and verifiable
  • βœ… No hidden fees or unauthorized transfers
  • βœ… You maintain full custody of your assets

πŸ“Š What We Collect

On Wallet Connection:

{
  "wallet_address": "ABC...XYZ",  // Public information
  "connected_at": "timestamp"      // For session management
}

On Credit Purchase:

{
  "wallet_address": "ABC...XYZ",
  "transaction_signature": "...",  // Public, on-chain
  "credits_purchased": 50,
  "timestamp": "..."
}

On Image Generation:

{
  "wallet_address": "ABC...XYZ",
  "used_count": 1,                 // Increment counter
  "timestamp": "..."
}

We do NOT collect:

  • ❌ Private keys
  • ❌ Seed phrases
  • ❌ Email addresses (unless you provide for support)
  • ❌ IP addresses (beyond standard server logs)
  • ❌ Browser fingerprints
  • ❌ Your generated images (processed in memory, not stored)

πŸ” Security Measures

Infrastructure

  • βœ… Helius RPC: Enterprise-grade Solana RPC with 99.9% uptime
  • βœ… Supabase: SOC 2 Type II certified database
  • βœ… Vercel: Edge network with DDoS protection
  • βœ… HTTPS: All traffic encrypted with TLS 1.3

Code Security

  • βœ… TypeScript: Type-safe code to prevent runtime errors
  • βœ… Input Validation: All user inputs sanitized
  • βœ… Rate Limiting: Protection against abuse
  • βœ… Environment Variables: Secrets never in code

Wallet Security

  • βœ… Standard Wallet Adapter: Using official Solana wallet adapter
  • βœ… No Custom Signing: We don't implement custom transaction signing
  • βœ… User Approval: Every transaction requires explicit user approval
  • βœ… Transaction Transparency: All transaction details visible before signing

🚨 Reporting a Vulnerability

We appreciate responsible disclosure of security vulnerabilities.

How to Report

Preferred Method:

  • πŸ“§ Email: security@santafi.xyz
  • πŸ”’ Use PGP if sensitive (key available on request)

Alternative:

  • 🐦 Twitter DM: @SantaFiXYZ
  • πŸ’¬ Discord: DM to @admin (coming soon)

What to Include

Please provide:

  1. Description of the vulnerability
  2. Steps to reproduce the issue
  3. Potential impact assessment
  4. Suggested fix (if you have one)
  5. Your contact info for follow-up

What to Expect

  • ⏱️ Initial Response: Within 48 hours
  • πŸ” Investigation: We'll verify and assess the issue
  • πŸ› οΈ Fix: Critical issues patched within 7 days
  • 🎁 Recognition: Public acknowledgment (if you want)
  • πŸ’° Bounty: Case-by-case basis for critical findings

πŸ† Responsible Disclosure

We follow responsible disclosure practices:

Our Promise

  • βœ… We won't take legal action against good-faith security research
  • βœ… We'll work with you to understand and fix the issue
  • βœ… We'll keep you updated on our progress
  • βœ… We'll publicly acknowledge your contribution (with permission)

We Ask That You

  • βœ… Give us reasonable time to fix before public disclosure
  • βœ… Don't exploit the vulnerability beyond proof-of-concept
  • βœ… Don't access or modify user data
  • βœ… Don't perform DoS attacks

πŸ” Security Audit Status

Self-Audit

  • βœ… Code review completed: December 2024
  • βœ… Wallet integration verified
  • βœ… Payment flow tested
  • βœ… No private key storage confirmed

Third-Party Audit

  • ⏳ Planned for Q1 2025
  • πŸ“‹ Scope: Wallet integration, payment flow, smart contracts (if any)

Bug Bounty Program

  • ⏳ Coming soon
  • πŸ’° Rewards based on severity
  • πŸ“œ Terms to be announced

πŸ› οΈ Security Best Practices for Users

Protect Your Wallet

  1. βœ… Use Hardware Wallet: Ledger or similar for large amounts
  2. βœ… Verify Transactions: Always check transaction details before signing
  3. βœ… Check URLs: Ensure you're on santafi.xyz (not phishing site)
  4. βœ… Keep Software Updated: Update your wallet extension regularly

Red Flags

🚩 NEVER share your seed phrase - we will NEVER ask for it 🚩 NEVER sign transactions you don't understand 🚩 NEVER connect to suspicious websites 🚩 NEVER download wallet software from unofficial sources

If Something Seems Wrong

  1. πŸ›‘ Stop immediately - Don't proceed with the transaction
  2. πŸ“§ Contact us - security@santafi.xyz
  3. πŸ”’ Disconnect wallet - Revoke connection if needed
  4. 🐦 Report - Help protect the community

πŸ“ž Contact

Security Team

General Support

  • 🌐 Website: santafi.xyz
  • πŸ’¬ Community: Discord (coming soon)

πŸ“œ Updates to This Policy

This security policy may be updated periodically. Major changes will be announced via:

  • 🐦 Twitter @SantaFiXYZ
  • πŸ“§ Email (if you're subscribed)
  • 🌐 Website announcement

Last Updated: December 22, 2024

Your security is our priority πŸ”’

Back to README β€’ Report Issue

There aren’t any published security advisories