Security Features and Program
Exodus has a team of world-class security experts, including top 10 HackerOne researchers on staff. Dedicated teams focus on attacker simulation, cloud security, and application security. These teams drive secure architecture and development via our secure software development lifecycle (SSDLC), lead cloud security best practices, and work to adopt and improve leading security frameworks.
Exodus doesn’t have access to your private keys; therefore we can’t gain access to your crypto. This is a fundamental philosophy throughout our development process and core to our company culture. Customer key autonomy is a fundamental right for a secure self-custodial wallet.
Secure By Design
Exodus develops all of our products using the latest secure design principles, and provides security training and guidance via our SSDLC, as well as via direct consultation and product design review. Our dedicated manual audit process and secure tooling and automation ensure customers' assets are safe.
Only Trusted Code
Exodus leverages open-source software, allowing us to collaborate with the community, accelerate innovation, and adopt new technologies. Before shipping Exodus products to customers, our team conducts manual audits of all open-source dependencies to find potential risks and vulnerabilities.
Reporting Security Findings and Bug Bounty
Exodus’ coordinated vulnerability disclosure program is operated via our bug bounty with HackerOne. Find our program here: Exodus HackerOne Bounty. Program details and bounty award ranges are detailed there. Please be sure to review our policies and scope before submitting your findings.
You can also share your report via email to: email@example.com. If you feel there’s sensitive data that needs to be encrypted, feel free to use our OpenPGP key found below.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Verify: - - - https://keybase.io/exodusmovement/pgp_keys.asc?fingerprint=ef2ccd36c16a8b90da1932e0926dc59fbb75b328 - - - https://keybase.io/exodusmovement NOTE: Future releases may also be signed with the following key instead: - - - https://keybase.io/jprichardson/pgp_keys.asc?fingerprint=12408650e2192febe4e7024c9d959455325b781a - - - https://keybase.io/jprichardson