Security is foundational to Righthium. Our platform handles institutional property records and cryptographic ownership data. This document describes our security architecture and our responsible disclosure policy for security researchers.
Security Architecture
Data Encryption
- In transit: All API and web traffic is encrypted with TLS 1.3
- At rest: Sensitive credentials (OAuth tokens, API keys) are encrypted with AES-256-GCM
- Passwords: Stored as bcrypt hashes — never in plaintext
Authentication & Access Control
- JWT-based authentication with role-based access control (company_admin, company_staff, customer, platform_admin)
- All API endpoints require valid tokens — no anonymous writes
- Company isolation: companies cannot access each other's data
- Platform admin role is strictly separated from company roles
Blockchain Security
- Property records are anchored to Polygon (Amoy testnet, production mainnet planned) using cryptographic hashes
- On-chain records are immutable and tamper-evident
- Wallet credentials are stored in encrypted environment variables, never in source code
Infrastructure
- Hosted on SOC2-ready cloud infrastructure
- Database connections are parameterized to prevent SQL injection
- API rate limiting is applied to prevent abuse
- Sandbox environments enforce strict environment variable isolation
Responsible Disclosure Policy
We welcome security researchers who identify vulnerabilities in the Righthium platform. If you discover a potential security issue, please follow these guidelines:
Report Security Issues
Email: support@righthium.com
Include "Security Disclosure" in the subject line. We will acknowledge your report within 48 hours and aim to resolve verified vulnerabilities within 30 days.
What We Ask
- Do not access, modify, or delete data that does not belong to you
- Do not perform denial-of-service attacks or other disruptive testing
- Do not disclose the vulnerability publicly until we have had a reasonable time to address it
- Act in good faith — we will do the same
What We Will Do
- Acknowledge your report promptly
- Investigate and validate the report
- Keep you informed of our progress
- Credit you in our acknowledgements (if desired)
- Not pursue legal action against researchers acting in good faith
Known Limitations
The following are known characteristics of the platform that are not considered security vulnerabilities:
- Blockchain records are public and immutable by design
- Token IDs are publicly verifiable at the /verify endpoint
- Cryptographic hashes anchored to Polygon are visible on-chain
Righthium takes security seriously. We appreciate the security research community's efforts to improve the safety of our platform.