Tapbit values the work done by security researchers in improving the security of our products and service offerings. We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities.
Responsible Disclosure Guidelines
We will investigate legitimate reports and make every effort to quickly correct any vulnerability. To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you provided you comply with the following Responsible Disclosure Guidelines:
- Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC).
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
- Do not modify or access data that does not belong to you.
- Do not attempt any significant theft.
- Give Tapbit a reasonable time to correct the issue before making any information public.
If you suspect that your Tapbit account or any of your security details have been compromised or if you become aware of any fraud or attempted fraud or any other security incident (including a cyber-security attack) affecting you and or Tapbit (together a “Security Breach”), you must notify Tapbit Support as soon as possible at email@example.com and continue to provide accurate and up to date information throughout the duration of the Security Breach. You must take steps that we reasonably require you to do so, to reduce, manage or report any Security Breach. Failure to provide prompt notification of any Security Breach may be taken into consideration in our determination of the appropriate resolution of the matter.
Regulation and Licensure information
Tapbit is registered as a Money Services Business with FinCEN. As an MSB, Tapbit is compliant with the requirements of the Bank Secrecy Act (BSA). On the State level, the primary issues arise around consumer protection and money transmission laws. Tapbit is currently applying to obtain money transmitter licenses from multiple States within the United States. Tapbit maintains a policy of attempting to broadly disclose to consumers all applicable risks of the service.
The license enables us to operate our exchange and clearinghouse in some states in the US (including its territories), with access to certain international jurisdictions.
Tapbit Derivatives follows an extensive audit program, which includes but is not limited to the following audits:
- Anti Money Laundering (AML): Annually, we conduct a full analysis and review of our OFAC (Office of Foreign Assets Control) procedures and AML processes, strategy, policy, controls and related technologies.
- Digital Asset Custody: Because we custody digital assets on behalf of our clients. Cooperative Review Agency conducts an annual review of how we hold digital assets from a security and key controls perspective.
- Penetration Testing: We contact with independent outside vendors to perform at-least-annual penetration tests that evaluate the effectiveness of our existing security controls.
- Vulnerability Scans: We run regular systems vulnerability scans on at least a quarterly basis, and more frequently where possible.
- Key Controls: We conduct key controls tests at regular intervals to assess the effectiveness of the oversight mechanisms related to our key internal processes.