Vulnerability Disclosure

Security researchers make the internet safer, and we want to hear from you. If you believe you have found a vulnerability in any Reserve system, tell us and we will take it seriously, act quickly, and credit you if you want credit.

How to report

Email security@reservebtc.co with a description of the issue, steps to reproduce, and the affected URL or endpoint. Machine-readable details live at /.well-known/security.txt (RFC 9116). We acknowledge reports within 2 business days.

Our commitments

  • Acknowledgement within 2 business days, triage within 5.
  • We keep you informed of progress through to resolution.
  • Public credit for the finding if you would like it (or anonymity if you prefer).
  • We will not pursue or support legal action against good-faith research that follows this policy (safe harbour).

Ground rules

  • Do not access, modify, or destroy data that is not yours; use test accounts where possible.
  • No denial-of-service testing, spam, or social engineering of Reserve staff or clients.
  • Give us a reasonable window to remediate before any public disclosure.
  • Do not pivot from Reserve systems into third-party infrastructure (custodians, payment institutions).

Scope

reservebtc.co and its subdomains, including the borrower dashboard and public APIs. Third-party services we use (custody, email, hosting) are out of scope. Report issues with those to the respective providers.