Are you an LLM? Read llms.txt for a summary of the docs, or llms-full.txt for the full context.
Skip to content

Security

Last updated: February 14, 2025

How We Protect Your Account

Signer Keys

When you create an account, we generate a signer key that authorizes posts and actions on your behalf. Here's how we protect it:

  • Encrypted at rest using AES-256
  • Stored separately from your account data
  • Access logged and monitored
  • Exportable anytime—you can take it and leave

Your signer key can post on your behalf, but it cannot access your wallet, transfer assets, or change your identity on the Protocol.

Authentication

  • We use passkey-based authentication—no passwords to steal
  • Sessions expire after 30 days of inactivity
  • You can revoke sessions from your account settings

Infrastructure

  • Hosted on Google Cloud with encryption in transit (TLS 1.3) and at rest
  • Production access restricted to essential personnel
  • Systems patched regularly
  • Automated monitoring for anomalies

Vulnerability Disclosure

We welcome security research. If you find a vulnerability, we want to hear about it.

Scope

In scope:
  • Uno iOS app
  • api.officialunofficial.com
  • officialunofficial.com
Out of scope:
  • Third-party services we integrate with
  • The underlying Protocol (report those to the Protocol maintainers)
  • Social engineering attacks on our team
  • Denial of service attacks

Rules

  • Don't access or modify other users' data
  • Don't degrade service for other users
  • Give us reasonable time to fix issues before disclosure (90 days)
  • Don't use automated scanners aggressively

Safe Harbor

If you follow these rules, we will:

  • Not pursue legal action against you
  • Not report you to law enforcement
  • Work with you to understand and resolve the issue

How to Report

Email security@officialunofficial.com with:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Your contact info

We'll acknowledge your report within 48 hours and keep you updated on our progress.

Recognition

We don't currently offer a paid bug bounty, but we'll publicly credit you (if you want) when we fix the issue.

Incident Response

If we discover a breach that affects your data:

  • We'll notify affected users within 72 hours
  • We'll explain what happened and what data was affected
  • We'll tell you what we're doing to fix it

Contact

Security questions or concerns: security@officialunofficial.com