A commitment to security

Supersafe is committed to helping protect customers with leading privacy and security technologies—designed to safeguard personal information—and comprehensive methods, to help protect corporate data in an enterprise environment. Supersafe rewards researchers for the work they do to uncover vulnerabilities by offering the Supersafe Security Bounty. Details of the program can be found below.

We maintain a dedicated security team to support all Supersafe products. The team provides security auditing and testing for products, both under development and released. The Supersafe team also provides security tools and training, and actively monitors for threats and reports of new security issues.

Supersafe continues to push the boundaries of what’s possible in security and privacy. We use standard and audited Multisig and MPC technologies for enterprise self-custody accounts across the product lineup—from Treasury and Swapper, to AutoRamp and Connect—powering amazing decentralization with built-in privacy and security. For example, our Dual-Entry Accounting enterprise financial record keeper forms the foundation for secure reconciliation across institutional bank accounts and blockchain self-custody accounts.

In addition, security features on accounts powered by MPC and multisigs on Supersafe —such as SAFE, Squads and Mean Multisig—help thwart common types of cyberattacks on corporate treasuries. These technologies allow our customers to co-manage their assets with multiple private keys, such that the same account can be jointly managed by many users enabling decentralized co-ownership for DAOs, teams, groups and enterprises. Therefore, even if attacker code somehow executes, the damage it can do is dramatically reduced.

To make the most of the extensive security features built into our platforms, organizations are encouraged to review their IT and security policies to ensure that they are taking full advantage of the layers of security technology offered by these platforms.

Supersafe believes privacy is a fundamental human right and has numerous built-in controls and options that allow users to decide how and when apps use their information, as well as what information is being used. To learn more about Supersafe’s approach to privacy, privacy controls on our products, see our privacy policy at https://www.supersafe.com/privacy.

Supersafe Security Bounty Program

If you submit research for a security or privacy vulnerability, your report may be eligible for a reward. The Supersafe Security Bounty program is designed to recognize your work in helping us protect the security and privacy of our users.

If you believe you’ve discovered a security or privacy vulnerability that affects Supersafe products or services, please report it directly to us. We review all eligible research for Supersafe Security Bounty rewards. And with our online tools, submitting and tracking your reports is easier than ever.

Categories and Payouts

Reward payments are made at Supersafe’s sole discretion and are based on the type of issue, the level of access or execution achieved, and the quality of the report. A high-quality research report is critical to help us confirm and address an issue quickly, and could help you receive an Supersafe Security Bounty reward.

The examples shown for each category are representative of potential Supersafe Security Bounty payments. While we’re unable to anticipate specific reward payments in advance, we consider every security issue that has a significant impact to users for an Supersafe Security Bounty reward, even if it doesn’t match a published category.

• Unauthorized access to account data on Supersafe servers

  • Takeover of Supersafe account data associated with a Login that doesn't belong to you

  • Reward Range: $10k - $100k

• Remote Code Execution

  • Command injection, deserialization bugs, XXE leading to RCE

  • Reward Range: $10k - $40k

• Unrestricted file system or database access

  • Unsandboxed XXE, SQL injection disclosing non-sensitive and/or sensitive information

  • Reward Range: $5k - $25k

• Logic flaw bugs leaking or bypassing significant security controls

  • Direct object reference, remote user impersonation, account takeover, privilege escalation, IDOR, SSRF, directory traversal, HTTP request smuggling, proxy misconfiguration leading to bypass of security controls.

  • Reward Range: $2.5k - $20k

• Code execution on the client/server

  • Stored/DOM/Blind XSS, CSRF, HTML injection (more than phishing) or having write access authorization when prohibited

  • Reward Range: $1,000 - $10,000

• Confidential or sensitive data

  • Generalized access control issues leading to exposure of PII

  • Reward Range: $1,000 - $5,000

• Domain and subdomain takeovers

  • DNS zone, domain, and subdomain takeovers

  • Reward Range: $500 - $2,500

Issues eligible for public acknowledgment

We review all issues reported to us, and all legitimate services issues are eligible for public acknowledgement. While we request that you report all issues, the following issues are eligible for bounty reward payments only if they’re evaluated as novel or high impact based on Supersafe’s discretion.

• Open Redirects

• Reflected or Self XSS

• Bugs requiring exceeding unlikely user interaction

• Cross-site request forgery vulnerabilities where the only impact is logout

• Banner Grabbing or Service Versions without a vulnerability or PoC

• Rate Limiting unless credentials are able to be guessed

• External and Public Credential Dumps

• Denial of Service vulnerabilities

• Username enumeration unless some personal identifiable information is disclosed like email or phone number

• Report from automated tools or scanners where the vulnerability is not proven

• Expired Certificates

• DMARC/SPF Misconfiguration concerns

• Social engineering

Reports about properties that Supersafe doesn’t own or operate are not eligible.

Additional information for Services reports.

• Testing Remote Code Execution (RCE) vulnerabilities can be tricky. When you test a proof of concept for RCE, please do non-destructive tests (e.g. “id” or “whoami” or “cat/etc/passwd”).
• To assist with triage and remediation, please provide all tactics, techniques, and procedures (TTPs), used to trigger the vulnerability, in addition to any commands.
• When testing for Server-side Request Forgery (SSRF) vulnerabilities, try to use ssrf.corp.supersafe.com for internal probes.
• When doing XSS testing, please be verbose and tag your payloads such that it’s easier to understand which form fields were vulnerable to attack. Additionally, test with document.domain vs. alert(1) to avoid inadvertent SelfXSS reports.
• Public Resources (e.g. Pastebin dumps of credentials and/or commonly assumed public information), we will accept, but are usually not eligible for Apple Security Bounty rewards or credit.

We may also classify other types of vulnerabilities as ineligible for Supersafe Security Bounty rewards, such as if the vulnerability has low impact. Publicly disclosed vulnerabilities and vulnerabilities exposed within 24 hours of public release may not be eligible for Supersafe Security Bounty.

Security Audits, Partners And Procedures

Besides the numerous internal procedures our systems and security engineers go through to ensure the reliability of our systems and their security, Supersafe relies in third-party audits and other battle-tested digital assets infrastructure to power the Supersafe experience.

We secure customer and investor funds from cyber attacks, internal collusion, and human error with a multi-layer technology that combines the latest breakthroughs in multisig, account abstraction and MPC cryptography with hardware isolation. Here's a non-exhaustive list of the partners we work with: Fireblocks, SAFE, Squads, Mean Multisig, Plaid. Each of these partners are leaders in their respective spaces and offer battle-tested products with extensive security infrastructure and audited smart contracts that align with Supersafe's commitment to privacy and security.

Our MPC-wallet infrastructure is designed to make managing cryptographic wallets intuitive, reducing onboarding times, increasing conversion and improving security. It achieves this by distributing a user's private key across multiple key shares that enables multi-factor account handling. The system leverages Threshold Cryptography principles or MPC (Multi-Party Computation), where a user needs a threshold of m out of n key shares to access their private key or generate transaction signatures.

One of the key advantages of this infrastructure is that it eliminates the need to store complete private keys anywhere, including databases, devices and participating nodes. Instead, the private key is distributed across the system in a non-custodial manner, reducing the risk of a single point of failure and preventing potential losses due to device theft or loss. This infrastructure provides:

• Seamless non-custodial wallet user experiences.

• Compatibility with existing authentication methods and blockchain ecosystems.

• Global performance and scalability to meet the demands of the Web3 market.