Security policy

Public summary. Internal hardening checklist is kept in the repo's SECURITY.md.

Reporting a vulnerability

Email security@rugguard.io. Do not open a public issue.
Include: description, steps to reproduce, impact assessment, and any PoC needed (no exploitation beyond what is necessary).
We acknowledge within 72 hours and provide an initial assessment within 7 days.
For CVSS ≥ 7 issues we patch and deploy within 30 days; lower-severity within 90 days.
We credit reporters publicly unless they ask to remain anonymous.
We do not pursue legal action against good-faith research that follows this process.

Out of scope as "security"

"Token X was not flagged though it rugged" — this is a heuristic false negative, not a vulnerability. File a product issue.
"Score is too high or too low" — heuristic debate, file a product issue.
Volumetric DoS without an authentic bypass — covered by rate limiting and the x402 economic gate.

What we protect against

Wallet keys. The CDP server wallet on Base mainnet receives payments. Operational float is capped and excess is swept to a hardware-secured cold wallet automatically.
Secrets. Never committed to git. Stored on the production host with restrictive file permissions and rotated on a fixed schedule or after any suspected exposure.
Webhook integrity. Outbound webhooks are signed with HMAC SHA-256 using a per-watch secret. SSRF protections reject loopback, RFC1918, and cloud-metadata destinations.
Input validation. Chain identifiers are enum-checked. EVM addresses are checksum-validated. Solana addresses are base58-validated. SQL is parameterized.
Transport. TLS 1.2+ enforced via Caddy with auto-renewed Let's Encrypt certificates and HSTS preload.
Dependencies. CVE scanning (pip-audit) on every CI run.

What RugGuard does not guarantee

RugGuard returns best-effort analytics. It is not a security audit, not investment advice, and not a guarantee that a flagged-as-safe contract is safe or that a flagged-as-risky contract is malicious. Both false positives and false negatives are expected. Liability is capped at the cost of the call. See /terms.html.