At Liminal, we have adopted a security first approach. Security is at the heart of everything we do. Below document will give you a comprehensive idea about the various security layers that have been built into the Liminal platform.

Why you should trust us?

• Why you should trust us?

  • Team Liminal works with a security-first approach and privacy by design mindset.
  • Our security ideological principles
    • Safeguard against insider threats
    • Protect against external attacks
    • Guarding against human errors
    • Zero trust self custody

• Blockchain Security

  • we are using highly secure FIPS 140-2 Level 2 compliant Key Management Service
  • All digital assets are being managed by the industry's highly trusted hardware wallets
  • We are a CCSS compliance-driven organization
  • We continuously audit our asset infrastructure with CCSS guidelines
  • None of our users has solo access to the keys, as a result, their assets are secured from a single point of failure. All critical infra is secured by multisig wallets

• Account Security

  • All the user accounts are required to pass multi-factor authentication
  • We are supporting industry trusted and certified hardware wallets only
  • Every important event notifies the user and sends a personal notification via a secure communication channel.
  • video verification on policy changes: We verify each user by industry highly recommended verification methods such as video verification, ID verification at multiple stages in the user verification process for any config changes.
  • Outgoing transactions are only available on whitelisted addresses. The client is required to follow certain procedures in order to whitelist the address
  • Bot detection, Suspicious IP Throttling, Brute-force Protection are configured to provide high availability and integrity at the login module.

• Compliance and Certifications

  • List of all security related audit reports and certificates

• Infrastructure Security

  • All our developers and admins follow the "least privilege" policy, hence even admins get limited access
  • All of our internal servers are continuously assessed by the internal team and third-party auditors.
  • Our security team has built a security-focused SIEM infrastructure based on open-source technologies to keep an eye on every event and categorized based on the severity to prioritize the attention (re-visit)
  • We have a SOC team that continuously monitors our infrastructure for any possible intrusions.
  • We enforce our employees to use a password manager to store sensitive information.
  • Multifactor authentication is enforced everywhere with secured hardware 2FA devices such as Yubikey, Trezor, Ledger.
  • Cloud platforms are audited daily by automated scanners as well as manually by the internal security team and external agencies on a weekly and monthly basis.
  • Penetration testing activity is being held by the internal team as well as external agencies on a monthly basis.
  • Web infrastructure and APIs are protected with WAF(Web Application Firewall) which requires TLS 1.3 or a higher version of TLS protocol.
  • To provide high availability and prevent infrastructure from a single point of failure we are following distributed approach for production services and access management.

• Internal Controls

  • All employees or contractors undergo criminal background checks before they join Liminal.
  • Access to any Liminal resource are required public-key authentication and the user is verified multiple times during authentication.
  • Any of our CXO team members are unable to individually or jointly transfer cryptocurrency out of our Cold Storage System.

• Vulnerability Disclosure Policy

  At Liminal, we welcome contributions from security researchers. If you believe you have found a security vulnerability that impacts Liminal, we encourage you to contact us immediately. Our team will investigate all legitimate reports and do our best to respond in a timely manner.

  To participate in our private bug bounty program or learn more about the terms of our program, including our scope, bounties, or safe harbor guarantee, please email [email protected].

  Our commitment to security researchers is simple: we will not take action against anyone who reports an issue in a responsible manner. We will do our best to reply to you in a timely fashion and periodically update you on our progress with respect to investigating or remediating any issues you may have identified.

  You can find the details about our bug bounty program below:

BUG BOUNTY PROGRAM

Targets

URLs

• https://vaults.lmnl.app
• https://api.lmnl.app
• https://prod-keys.lmnl.app

Reporting Format

• Send your report to [email protected]
• A detailed explanation of the issue, the potential impact of the vulnerability, and browser details used to perform the attack.
• Mandatory fields
  • Subject: subject should state vulnerability class
  • Prerequisites: List of tools/libraries/OS required to perform the attack
  • Steps to reproduce: a step-by-step guideline to reproduce the attack or a video recording while performing the attack.

Out of Scope

• Any targets besides the one mentioned in the target list.
• All third party applications used at Liminal
• The Liminal marketing website (www.lmnl.app)

Rules

• Please use your own account for testing or research purposes. Do not attempt to gain access to another user’s account or confidential information.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Please do not test for spam, social engineering, or denial of service issues. Such activities against Liminal employees and end-user are prohibited.
• Your testing must not violate any law, or disrupt or compromise any data that is not your own.
• By responsibly submitting your findings to Liminal in accordance with these guidelines, Liminal agrees not to pursue legal action against you. Liminal reserves all legal rights in the event of non-compliance with these guidelines.
• Contact us immediately if you inadvertently encounter user or financial transactions data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Liminal.

Qualifying vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered in scope:

• Balance Manipulation
• User Account Take over
• Cross-site Scripting (XSS)
• Cross-Site Request Forgery (Only potential issues will be considered)
• Server-Side Request Forgery (SSRF)
• SQL Injection
• Server-Side Remote Code Execution (RCE)
• XML External Entity Attacks (XXE)
• Access Control Issues (Insecure Direct Object Reference Issues, Privilege Escalation, etc)
• Exposed Administrative Panels that don't require login credentials
• Directory Traversal Issues
• Local File Disclosure (LFD) and Remote File Inclusion (RFI)
• Gaining access to any of our servers
• Leakage of PII Information of individual or other users.

Non-Qualifying vulnerabilities

• Any URIs leaked because a malicious app has permission to view URIs opened
• Absence of code obfuscation
• Self XSS
• Login/logout cross-site request forgery
• Sensitive data in URLs/request bodies when protected by TLS.
• Use of outdated software/library versions.
• Path disclosure in the binary
• Snapshot/Pasteboard leakage
• Run-time hacking exploits (exploits only possible in a jail-broken/rooted environment)

Bug Bounty Program