Contact: security@sayanchor.com Expires: 2027-01-14T12:50:00Z Preferred-Languages: en Canonical: https://www.sayanchor.com/.well-known/security.txt # Anchor Security Disclosure Policy # https://www.sayanchor.com/.well-known/security.txt ## Responsible Disclosure Anchor values the security of our users and their financial data. We welcome responsible security research and coordinated vulnerability disclosure from the security community. If you discover a security vulnerability in Anchor's infrastructure or services, please report it responsibly to our security team rather than disclosing it publicly. ## Reporting a Vulnerability **Submit your report via HackerOne:** [https://hackerone.com/c9653bdd-a18d-491b-a890-27776b50288c/embedded_submissions/new?locale=en](https://hackerone.com/c9653bdd-a18d-491b-a890-27776b50288c/embedded_submissions/new?locale=en) **Backup Contact:** security@sayanchor.com When reporting a vulnerability, please include: - Detailed description of the vulnerability - Steps to reproduce (if applicable) - Affected components or systems - Potential impact assessment - Your contact information for follow-up **Response & Resolution Targets:** - **Time to First Response:** 5 days - **Time to Triage:** 10 days - **Time to Resolution by Severity:** - Critical: 30 days - High: 30 days - Medium: 60 days - Low: 90 days - None: 90 days ## Security Practices Anchor implements industry-standard security controls including: - **Encryption in Transit:** TLS 1.2+ for all communications; third-party integrations required to use TLS 1.2 or higher - **Encryption at Rest:** AES-256 encryption for sensitive data; database-level encryption for additional protection - **Payment Security:** PCI-DSS compliant payment processing; no unencrypted payment transmission - **Infrastructure:** US onshore servers with physical access controls, 24/7 monitoring, and comprehensive audit logging - **Authentication:** Support for two-factor authentication (2FA); passwords hashed using Argon2 - **Access Controls:** Employee access restricted and logged; read-only bank connections; minimum necessary data access - **Monitoring:** Real-time fraud detection with multi-layered risk analysis ## Out of Scope The following are out of scope for our vulnerability disclosure program: - Social engineering attacks or phishing attempts - Physical security vulnerabilities - Brute force attacks on standard authentication - Attacks requiring physical access to infrastructure - Denial of service (DoS/DDoS) attacks - Spam or mass vulnerability scanning - Third-party vulnerabilities (report directly to the provider) - Vulnerabilities in third-party services we integrate with - Issues in deprecated or end-of-life components without active user impact ## Safe Harbor Anchor commits to not pursuing legal action against security researchers who: - Report vulnerabilities responsibly and in good faith - Avoid accessing data unnecessarily or beyond the scope needed to demonstrate the vulnerability - Avoid modifying or disrupting systems or data - Maintain confidentiality until we've released a fix or public disclosure date - Do not publicly disclose the vulnerability without prior coordination with our security team ## Security Headers & Practices Anchor enforces: - HSTS (HTTP Strict-Transport-Security) with preload - Content Security Policy (CSP) - X-Frame-Options: SAMEORIGIN ## PGP Key For highly sensitive disclosures, you may encrypt communications using our PGP key: ``` -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBGZcGAcBEACsSuyoC/hHkhNNjR4b1Tl+sz1/5EHTJnxYbsGXX7RS/MEQ7Cv7 KACmWOBo53R//ixjpDqoVjdem+UYuTJPACICXjt/w58EQipY9Wz6LHQacqY/Ye+6 /bB8H0s8FrVX7/O60VoCaJ6We7nlcLjlXPd4hw7zmwhOh4lHA0MEObf/g+U8pbps Yhf393oHGa3KkZ/c2WeWAQaC7ItoESj0eIZtLGDGy4SjktYmUaMexlLqQOq6mAGL AR3YcPepG5qikcrhQExgBJu5eaQUlpfp83u3AQ9L5JHyCm8syFfv6ZxjeAXujvQl OECchbDkaCIjz/PtpAUs7PLK+B6/oOlO4vjPxQyieoBF1Bm23PMe3XqPswseJq9E +bLoJ0Qs3h7LNrP2vmT/DfSTeR6woRz9FtXmJWmODmvY0/yQ0qggG+M7R6HKKj2g 03/n6hcV0iTAcc1nQCdeyZKS6MmqvOMARDZpxaADeIXPezHRw92gUxtCLdS/6kC4 jABPbRmwUBtjMh+r8qC4q5TraR4UKybnhKrnuVfNGuAvmTeHN/qFCa8Nva/qJOU+ Ghxl06hORKn32qYz0etFM1QPlQ273p97nAIEez/5BQSPdXBLPUIpdXNJn0UGPOqj kNzD/eJ6WEQyDujS4eMwGG3q78fw45mdT3ZIsTSsNHYn6lIlrCX3Ml2r8wARAQAB tChBbmNob3IgR3JvdXAgSW5jLiA8c2VjdXJlQHNheWFuY2hvci5jb20+iQJUBBMB CAA+FiEEi099ygjlWjyX18nqUfTcYnVpC3gFAmZcGAcCGwMFCQWjmoAFCwkIBwIG FQoJCAsCBBYCAwECHgECF4AACgkQUfTcYnVpC3iKAhAAqk/H3izKjN7f/minhYSE 2YgPvTM4uHNNp/nvcjtkeSymaupxhqiRkzuioX3X6jjFDQzYKwf5z1i9hWL+002Q pP8eATf4/duV4LFQ97N0P2hHLF8dKFMMOVK4a9C+CWafOMujhEoDM/4nx7BeYIQY LxBLKrDdvxdrQghA1Tsp7hAJb0iNPoJLyEN2mN0AzGkIGQdS1kqIAlftro05p6+J UGw9mXwfI8wRPbFiTbWib69zZfXtnOIKiNpfLcs1He2Da8TZ170zwCAomFc9NYZp UTegT43Q1Zo8bptBuH0w072EcH1jrANgOknny99P4xLwsfIYn4zIrf7Un5yt+QG/ e2FFvyO7DUB9/VEN6PkowT5aP9FqaH7SMBU9R/W3qyOkYge22zdnK5z4knyyZfhz rN9LyqLjAZAkv7nbefHwTS+Uj09PJA5aU4egSkwPmjmHobLShGwQh87tzRlwXLeT +ZBgMZTzwqfUi8W747RLMgja7niPFlbZI5b/0eCe40mYGX7xoOEYnkvNteB/wXAP 6m8qk7tHn0bY+ShNUdFuhAduEVERKt2hbOamy5JSaepr/Vs3zjIW59SS+fzM0xC2 0hCbdDqZ/ZGbz9VXlUzqClzNP6ltdG9/noWRgN0FItCA+7GubYEODLqmzSMaDuC9 saqZp4/Gwfyo3gCK1cwYW7G5Ag0EZlwYBwEQALFhAeoJUxG+tpxkMy5gH0npaZz5 nSRgF7WsUkdE5IsVjeSvKITwjBhLhVInpBxSBIiWUr0Y/iMZ++amJdC5WbvS2waE u3eU7hazg1Zi+X9yaS5L2AWXLXsGNoLeMrHyX+mnxyAJnYtq+XFbbdIw4HhWuvcH B8E2x+rP+997077789yeq5OIxAOeVg4UNiqczFjmv4i2XwGhU1jiqvfAFQSZTfVf YTJ1V4lka+9cgcrDjxvP7/LLjWg4Xm+AtcGHRzRNVW5bEqIxV2cIaVqZD01/mJ4Q upf2nKZtq8Yviqk/T1qjdvkWI16R1ifcyoZHi8wO5y0oO0lEr+mQnQnNTCR8dTqc WvXIG26fbc/mKaAWNji3U/rqteBHBYsfSRV+6NaDI64LGnS54Cx3qzV+50SdjolC 1fmAeYmoDDNOt8Yxn7/TCQsjkZCznvBhifZQFlz/9yXdeb79Y2RE690BNuLn6r2M ufLKapby01IDmzp009AZ/IlqrpNExyRLgmzXzhfqUHtdh7rsQAVD30kZUL4BS0fL 5Fw13XR4tAvotxa76ixNBIpVpl0Y/NsUHUfee16+18bat+KXIDZ9Fj42Ry8QVmTh 9HW79opwewZfjR+meVOehRemxaxYBM97YewyIq17JLh4BQ0uWXvi4ag+jfwF4FZa pdut2Y2BNMTA3K/tABEBAAGJAjwEGAEIACYWIQSLT33KCOVaPJfXyepR9NxidWkL eAUCZlwYBwIbDAUJBaOagAAKCRBR9NxidWkLeHnaD/9JPa0IOWEHTkWogE1klVjv 7+FEran+I7WnzzlzXB/fJry3nrkPI/Qu3MJ50R1OzrvAt1mO/LEmWVIwJuPEmQF+ +6LMQpaN1l8dfFbcocLzkbxP+RykWu7hPNjq5GdFjamitKgBPQCdjiTJxWUeKa9+ Yvkrm85b/Mosft0ZNoB612TCpx0DZOmlkh876uxppnwmRsLCffJQOCVwvTeglMWW YGIrdE6yvmE8Iff8g11CnBtfVg57olJEKvw5kYhZlFpaNaFyeupbgMa+HyxKMPIk tJHKv9u0fMfxjlNENZTIy7S0Sxf5yodRqG4OW3jZtBBweb8mvKR4gL4C1Oo3uPML VVogmtEJ2PQ/DwsDrq/0ralks5PqtcKf7Z0/9oKM5KzEFrSad/t4B56JQ4YZwPeb fn6K2IU5ZlmHgKtEqm9YgW6tbapTXbdKrlsVmTxnZekzhpHw+n4q9eWZ8r10ogdR yp/+dDZz3NvVV1skKV09AYBnDGQ2KYyPom/jux7TFN+YSW3Ltjd1AOxzsWSGcy57 pIBHyImUVQxIMXY7A5FTHLKXcGeMNfER+rNBmjfMfadcCPfYvt29j8X5w5kuFuIc HnjRZZ6W/ArM21DpriqtcYp+yPdoNmvCunyQFW+ucL1cvYScYwiru7RcKIWsVmhB +osg9aKAWSW/amDZnfaybw== =LJsS -----END PGP PUBLIC KEY BLOCK----- ``` ## Additional Resources - **Data Privacy Policy:** https://www.sayanchor.com/data-privacy - **Terms of Service:** https://www.sayanchor.com/terms-of-service ## Contact Information - **Security Email:** security@sayanchor.com - **Website:** https://www.sayanchor.com --- *Last Updated: 2026-01-14* *Expires: 2027-01-14*