Matrex
Security

Vulnerability Disclosure Policy

Version
v1.0
Effective date
9 June 2026
Last reviewed
9 June 2026

1. Reporting a vulnerability

1.1

Matrex welcomes coordinated disclosure of security vulnerabilities from independent security researchers, customers, and members of the public.

1.2

Reports should be sent by email to security@matrex.io.

1.3

Where possible, encrypt sensitive reports using the Matrex security team PGP key. The production PGP key will be published at /pgp/matrex-security.asc once generated. Until then, email security@matrex.io to request the current key.

1.4

The SHA-256 fingerprint of the published PGP key is:

PGP key fingerprint (SHA-256)

TBD — placeholder fingerprint. The production key fingerprint will be published here once the Matrex security PGP key is generated and signed.

If the fingerprint shown here does not match the key you downloaded, do not trust the key and contact security@matrex.io through an alternative channel.

1.5

A good report includes:

  1. a clear description of the vulnerability;
  2. the affected component, host, contract address, dashboard, or endpoint;
  3. reproduction steps, payloads, and expected versus actual behaviour;
  4. impact assessment and any proof-of-concept material;
  5. your contact details and preferred attribution name; and
  6. whether you intend to publish or coordinate public disclosure.
1.6

Matrex aims to acknowledge receipt of all reports within five business days.

2. Scope

2.1

The following systems are in scope:

  1. all hostnames under *.matrex.io, including marketing, investor, issuer, admin, API, and documentation surfaces;
  2. Matrex smart contracts deployed to mainnet (deployed mainnet address placeholder until token launch — the published contract address will be authoritative);
  3. all Matrex-operated backend services, APIs, and webhooks;
  4. all Matrex-operated dashboards (investor, issuer, administrator); and
  5. infrastructure-as-code, build pipelines, and supply chain integrity for the above.
2.2

The following are out of scope:

  1. third-party services that Matrex integrates with (including Sumsub, Stripe, DocuSign, hosting providers, RPC providers, blockchain analytics vendors, and email vendors) — report vulnerabilities in those products directly to the vendor's own security programme;
  2. social engineering, phishing, vishing, or pretexting against Matrex staff, customers, or contractors;
  3. physical attacks against Matrex offices, data centres, or personnel;
  4. denial-of-service testing, distributed denial-of-service testing, volumetric attacks, or resource-exhaustion tests against production;
  5. spam, automated mass-account creation, or rate-limit probing against production systems;
  6. self-XSS or attacks requiring full pre-existing compromise of the victim's device or account;
  7. vulnerabilities that depend on outdated browsers, jailbroken devices, or non-default configurations;
  8. missing security best-practice headers without a demonstrable exploit; and
  9. reports generated solely by automated scanners without manual validation.

3. Rewards and recognition

3.1

A monetary bug bounty programme is scheduled for Phase 2.

3.2

Until the bounty programme launches, Matrex offers public acknowledgement and recognition for valid, responsibly disclosed reports.

3.3

Researchers may be listed (with consent) on the Matrex security hall of fame.

3.4

The reward structure, severity bands, and per-finding payout ranges will be published on this page when the bounty programme launches. Reports submitted under this policy before the bounty programme launches will not be retroactively eligible for monetary rewards.

4. Safe harbour

4.1

Matrex supports good-faith security research and adopts safe-harbour language consistent with disclose.io.

4.2

If you make a good-faith effort to comply with this policy, Matrex will:

  1. not initiate or recommend legal action against you in connection with your research;
  2. not pursue civil action or notify law enforcement;
  3. treat your research as authorised activity under the Computer Fraud and Abuse Act, the New Zealand Crimes Act 1961 sections 248–252, the United Kingdom Computer Misuse Act 1990, and equivalent statutes in other jurisdictions; and
  4. treat your research as exempt from anti-circumvention claims under the Digital Millennium Copyright Act 17 U.S.C. § 1201 and equivalent statutes.
4.3

If legal action is initiated by a third party against you for activities that complied with this policy, Matrex will make this safe-harbour commitment known.

4.4

To stay within safe harbour you must:

  1. only test against in-scope systems;
  2. avoid privacy violations, destruction of data, and interruption or degradation of service;
  3. only access the minimum amount of data necessary to demonstrate the vulnerability;
  4. not retain, copy, transfer, or otherwise use personal data accessed during testing beyond what is required to evidence the report, and securely delete it after reporting;
  5. not exploit a vulnerability beyond what is necessary for confirmation;
  6. give Matrex reasonable time to remediate before public disclosure; and
  7. comply with applicable laws.
4.5

Activities that are inconsistent with this policy (for example, social engineering, physical intrusion, or extortion) are not authorised and remain outside the safe-harbour commitment.

5. Test accounts

5.1

Researchers should not test against production user data.

5.2

For account-bound testing, contact security@matrex.io to request a sandbox account. Sandbox accounts run against a non-production environment with synthetic data.

5.3

Where a vulnerability can only be reproduced against production, report the issue immediately and do not attempt to enumerate, exfiltrate, or modify other users' data.

6. Disclosure timeline

6.1

Matrex follows a coordinated disclosure timeline:

  1. Initial response — within five business days of receipt;
  2. Triage and severity assessment — within ten business days;
  3. Remediation target — ninety days from triage for valid findings, prioritised by severity. Critical findings affecting smart contracts, custody-adjacent flows, or authentication will be prioritised on a shorter clock;
  4. Public disclosure — coordinated with the reporter. Matrex prefers joint disclosure after a fix is shipped and customers have been notified.
6.2

If Matrex requires additional time beyond ninety days for a complex remediation, the security team will communicate the revised timeline and reason.

6.3

Researchers should not disclose findings publicly until Matrex confirms that the issue has been remediated or that public disclosure is appropriate.

7. Contact

Security reports and questions about this policy should be sent to:

Matrex Security

Email: security@matrex.io

PGP key: published at /pgp/matrex-security.asc once generated — email to request before then.

security.txt: /.well-known/security.txt

Hall of fame: /security/hall-of-fame

This document is published by Matrex. It may be updated from time to time — the effective date at the top of this page reflects the current version.