← Back to Nextbridge

Security at Nextbridge

We take security reports seriously. This page documents how to report a vulnerability, what's in scope, what to expect from us, and the protections we've already built in.

Report a vulnerability

Email security@nextbridge.exchange with a clear technical description, reproduction steps, and your assessment of impact. If the issue is sensitive, request our PGP key in the first message — we'll send it and switch to encrypted mail.

Machine-readable contact info also lives at /.well-known/security.txt (RFC 9116).

Please do not post details publicly until we've confirmed and shipped a fix. We aim to acknowledge reports within 48 hours and ship critical fixes within 7 days.

Scope

In scope:

  • The nextbridge.exchange domain and its subdomains.
  • The Public API v1 surface at /api/v1/*.
  • The MCP server at /api/mcp.
  • The @nextbridge/sdk npm package.
  • On-chain withdrawal signing (BTC, EVM chains, TRC20, SOL, LTC, DOGE).

Out of scope:

  • Denial-of-service attacks (we use Cloudflare + Vercel rate-limits already).
  • Social-engineering of staff, users, or third parties.
  • Vulnerabilities requiring physical access to a user's device.
  • Self-XSS that requires the victim to paste attacker-supplied content.
  • Missing security headers without a demonstrable attack chain.
  • Reports from automated scanners with no manual verification.

What's already protected

Helpful context before you go hunting — these are deliberate design choices:

  • API keys are sha256-hashed at rest. The plaintext is shown once at creation and never again.
  • Granular scopes (read / trade / withdraw / admin) gate every v1 route. Per-key rate-limit overrides + optional IP allowlist add a second layer.
  • 2FA-gated writes: withdrawals and address-allowlist edits both require a valid TOTP code at request time.
  • Address allowlist (strict mode): when enabled, withdrawals can only target pre-approved destinations.
  • Idempotency-Key on every write endpoint prevents double-execution on client retries (24h replay window).
  • Audit log: every authenticated write writes a row to ApiKeyAuditLog with caller IP, scope, key id.
  • HMAC-SHA256 webhook signatures with a per-subscription secret + a 5-minute timestamp window — receivers can verify our outbound deliveries.
  • Proof of Reserves published monthly — every user can independently verify their balance is in the snapshot. See /proof-of-reserves.

What we'll do when you report

  1. Acknowledge within 48 hours.
  2. Triage: confirm reproducibility, score severity, share our internal assessment with you.
  3. Fix: patch shipped within 7 days for criticals, 30 days for everything else.
  4. Disclose: coordinated disclosure once the fix is live. With your permission we'll credit you in the Hall of Fame below.

Nextbridge is currently pre-launch with no bounty payouts yet. Once we list as a public program (planned: Immunefi free tier alongside investor-pitch in late 2026), prior reports will be eligible for retroactive recognition.

Hall of fame

Researchers who've responsibly disclosed issues will be listed here. The wall is empty for now — be the first.