Home / Security Policy

Security Policy

We build security infrastructure. We hold ourselves to the highest standard. Here's how we handle security research, vulnerability reports, and responsible disclosure.

Responsible Disclosure

We deeply appreciate the security research community. If you've found a vulnerability in Phoenix Platform, our website, or any related services, we want to hear about it — and we want to make the process smooth and respectful for everyone involved.

How to Report

Email your findings to security@phoenixrise.io. Please include:

  • A clear description of the vulnerability
  • Steps to reproduce (the more detail, the better)
  • Impact assessment (what an attacker could achieve)
  • Any supporting materials (screenshots, PoC code, logs)

Our Commitment

  • Acknowledgment: We'll confirm receipt within 24 hours
  • Assessment: We'll provide an initial assessment within 72 hours
  • Resolution: We'll work to fix confirmed vulnerabilities promptly
  • Credit: With your permission, we'll publicly credit your discovery
  • No legal action: We will not pursue legal action against researchers who act in good faith and follow this policy

Scope

The following are in scope for security research:

  • PhoenixSig cryptographic implementation
  • phoenixrise.io web application
  • Published APIs and SDKs
  • Documentation accuracy (security-relevant errors)

The following are out of scope:

  • Social engineering of Phoenix Platform employees
  • Physical attacks on our infrastructure
  • Denial-of-service attacks
  • Automated scanning without prior coordination

Security Practices

Cryptographic Standards

PhoenixSig uses exclusively NIST-standardized or NIST-approved cryptographic primitives: ML-DSA-65 (FIPS 204), SLH-DSA (FIPS 205), HKDF-SHA256 (RFC 5869), and SHA-3 where applicable. We do not use custom or non-standard cryptographic constructions for core security operations.

Development Practices

  • All cryptographic code undergoes peer review by at least two engineers
  • Constant-time implementation requirements for all secret-dependent operations
  • Continuous integration with cryptographic test vectors
  • Dependency auditing and supply chain verification

Transparency

Our threat model is published and maintained. We document our security assumptions explicitly and are clear about what PhoenixSig does and does not protect against.

Contact

Security reports: security@phoenixrise.io

General inquiries: hello@phoenixrise.io

For urgent security matters, please include "[URGENT]" in your subject line.

Last updated: February 2026