Fyxvo is in a devnet private alpha, so this page is intentionally specific about what is in place today, what still needs review, and how to report issues responsibly.
Use a private channel for anything that could affect user funds, credentials, or service integrity.
Email security disclosures to security@fyxvo.com.
Include reproduction steps, impact, and any proof-of-concept details that help validate the issue quickly.
Do not publish exploit details before Fyxvo has had a reasonable chance to investigate and respond.
Repository policy: SECURITY.md
High-level controls that exist today in the live product.
Wallet authentication uses signed challenges rather than password login.
Gateway access requires project-scoped API keys with explicit scopes and clean revocation paths.
Secrets are stored in managed runtime configuration, not committed to the repository.
Webhook URLs are validated against private and internal address targets to reduce SSRF risk.
CSP reporting, request logging, incident tracking, and support workflows are live for operational visibility.
What Fyxvo does and does not handle.
Fyxvo never asks for or stores wallet private keys.
API keys are shown once at creation time, stored as hashes server-side, and can be rotated or revoked from the product.
Webhook secrets are generated per endpoint and used for HMAC verification.
Anthropic access for the assistant is handled by backend runtime secrets, not exposed to browsers.
Honest scope boundaries for a devnet private alpha.
Fyxvo does not claim a completed external security audit for the full platform stack today.
The devnet launch is intended for controlled evaluation, integration testing, and operational hardening before any future mainnet posture is claimed.
Mainnet readiness, broader external review, and stronger governance posture are still future work.
Current stage
