Security

The security of our users' assets and information is our top priority. The XRP Toolkit team is committed to working with security experts across the globe to stay up to date with the latest security techniques.

Responsible Disclosure

If you have discovered a security issue that you believe we should know about, we'd welcome working with you. Please let us know about it and we'll make every effort to quickly correct the issue. Depending on the scope and severity of the discovered vulnerability, you may be eligible for a reward.

Scope

The following web services are in scope:

  • www.xrptoolkit.com
  • test.xrptoolkit.com
  • docs.xrptoolkit.com
  • xumm.xrptoolkit.com
  • lookup.xrptoolkit.com

XRP Toolkit integrates with several hardware and mobile wallets, including Ledger, Trezor and Xumm. This responsible disclosure policy also applies to our wallet integrations, but does not apply to the wallets themselves.

Rules of Engagement

Please follow these rules when looking for vulnerabilities in our systems:

  • Do not permanently modify or delete XRP Toolkit hosted data
  • Do not access more non-public XRP Toolkit data than necessary to provide a proof of concept
  • Do not share confidential or personal information obtained from our systems
  • Do not put backdoors in our systems, not even for providing a proof of concept
  • Do not engage in denial of service attacks, disrupt, interrupt or degrade our systems
  • Do not engage in social engineering or phishing against our employees, partners or users

How to Report a Vulnerability

If you find a vulnerability in any of our services, please send a vulnerability report to security@xrptoolkit.com and encrypt your e-mail using our PGP key.

Fingerprint:
0DC5 B973 F29E BE00 A2B4 982B 55DA 10F0 3FA0 608D

Please include a description of the vulnerability, where you found it and how we can reproduce it. You will be updated on our progress as we triage and patch your discovered vulnerability.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.