Security Audits & Independent Testing

Security is a product, not a page. Below you'll find our independent security audits, penetration testing, scope, versions, findings, and resolution status for our non-custodial wallet. Every change is documented and signed with PGP signatures, validated with SHA-256 checksums, and designed for reproducible builds.

Important: PRC Wallet is non-custodial. Your private keys never leave your device. Audits increase assurance but don't eliminate risk. Always keep offline backups.

Transparency Note

Our first external audits are scheduled with firms like Quantstamp and Trail of Bits. Until reports are published, we detail our security architecture, disclose our threat model, and enforce strict build verification (checksums, PGP) on /download. This page will be updated with full reports, findings, and remediation timelines.

Methodologies: OWASP ASVS, OWASP MASVS (mobile), and supply-chain checks (SLSA provenance when ready).

At a Glance

Model
Non-custodial
Builds
Code-signed
Disclosure
[email protected]
Status
99.99% uptime

Current & Planned Engagements

Coverage:

  • Client-side key generation & encryption
  • Signing prompts and anti-phishing warnings
  • Seed handling, clipboard protections, lock states
  • dApp connection/permission model, revocation
  • Local storage / memory handling / session lifecycle

Last comprehensive assessment: March 2025

Next window: Q3 2025 (rolling 12–16 week cadence)

Scope & Methodology

In Scope (Web Wallet)

  • Client-side key generation & encryption
  • Signing prompts and anti-phishing warnings
  • Seed handling, clipboard protections, lock states
  • dApp connection/permission model, revocation
  • Local storage / memory handling / session lifecycle
  • Network selection, address rendering, QR display

In Scope (Backend/Infra)

  • No keys/transactions processed server-side; only metadata/CDN
  • TLS, HSTS, CSP, COOP/COEP, X-Frame-Options, Referrer-Policy
  • API auth (if any), rate limits, abuse protections
  • Build artifact storage, download integrity

Out of Scope

  • Third-party dApps you connect to
  • User devices, OS-level malware
  • Non-PRC smart contracts (unless specified)

Build Verification & Downloads

Checksums

SHA-256 for every desktop build and installer.

PGP Signatures

Release signing key fingerprint:

1A2B 3C4D 5E6F 7G8H

Reproducible Builds

Target desktop and aim for byte-identical outputs across environments.

Bug Bounty & Disclosure

Contact

Email:[email protected]
Scope:App, site, infra
Response:Within 48 hours
Encryption:PGP key

Severity & SLA

Critical:Immediate hotfix
High:7 days
Medium:30 days
Low:Next release

Timeline

  1. Threat model v1 published

    Status:completed

  2. Web wallet audit scheduled (Quantstamp)

    Status:in-progress

  3. CSP/SRI hardening shipped (v2.1.0)

    Status:scheduled

  4. Audit report published; 0 Critical/High; Medium resolved

    Status:scheduled

  5. Mobile audit planned

    Status:planned

Security Resources

Responsible DisclosureStatus & IncidentsChangelogsecurity.txt

FAQ

Do audits guarantee safety?

No. They reduce risk by catching classes of issues. We combine audits with hardening, CI policies, and ongoing testing.

Will you publish all findings?

Yes, with responsible timelines. User-safety patches precede disclosure; all severities are tracked with status.

Will you publish remediation timelines?

Yes. We publish remediation timelines with each report and track fixes publicly once patches are available.

How can I verify downloads (hashes/PGP)?

Visit /download for SHA-256 checksums and verify signatures with the PGP key in /.well-known/security.txt.