M
Malairte MLRT

Trust & Safety

Security Policy

Security practices, responsible disclosure policy, and key management guidance for Malairte users and researchers.

Disclosure

Responsible Disclosure

If you have discovered a security vulnerability in Malairte Core, the wallet applications, or this website, please report it privately. Do not open a public GitHub issue for security vulnerabilities.

Send your report to security@malairte.org using PGP encryption if possible (key fingerprint below). Include as much detail as you can: affected version, steps to reproduce, potential impact, and any proof-of-concept code.

We commit to acknowledging your report within 48 hours and providing an update within 7 days. Critical vulnerabilities will be patched on an expedited timeline, with coordinated disclosure once a fix is available.

We do not currently offer a formal bug bounty program, but we recognize all responsible disclosures in our release notes and security advisories.

Security Contact PGP Key Fingerprint
3A4B 5C6D 7E8F 9A0B 1C2D 3E4F 5A6B 7C8D 9E0F 1A2B

Full public key available on keys.openpgp.org and in the GitHub repository.

Practices

Our Security Practices

Release Signing

Every official release binary is signed with the project's PGP key and accompanied by a SHA-256 checksum. Always verify the signature and checksum before running any downloaded file.

Open Source Auditing

The Malairte Core codebase is fully open source and available for review on GitHub. We encourage the community to audit the code and report any findings. Third-party audits are planned for major versions.

Dependency Management

We minimise external dependencies and pin specific versions in our build system. Dependencies are reviewed for known CVEs before each release.

Network Security

The P2P protocol uses cryptographic message signing to prevent spoofing. Nodes enforce strict validation of all incoming data. The RPC interface defaults to localhost-only binding and requires authentication.

For Users

Key Management Principles

Your MLRT is only as secure as your private keys. Follow these principles to protect your coins:

  • 1 Back up your seed phrase immediatelyafter creating a wallet. Write it down on paper, not digitally. Store it in at least two separate physical locations.
  • 2 Never share your seed phrase or private keywith anyone, under any circumstances. No legitimate support request will ever ask for it.
  • 3 Use wallet encryption. The Malairte wallet supports passphrase encryption of the wallet file. Enable it for any wallet that holds significant funds.
  • 4 Keep software updated. Always run the latest stable release to benefit from security patches. Check the release notes before upgrading.
  • 5 Verify downloads. Always download wallets from malairtebitcoin.org/downloads and verify the SHA-256 checksum and release signature before running.
  • 6 Be wary of phishing. Malairte will never DM you, email you unsolicited offers, or ask you to send coins for verification. If something seems off, it's a scam.

Found an issue?

Report security vulnerabilities privately. Never open public issues for security matters.

security@malairte.org