Security & Privacy

To protect our users, their funds, privacy, and ensure a smooth operation of the service, Taurus’ security staff runs a number of security controls and procedures.

Wallet Security

  • Our wallets store secrets and perform key derivation and signature in HSMs certified FIPS 140-2 Level 3.
  • HSM are strengthened with a firmware extension developed by Taurus, to implement additional security controls and enforce secure HSM configuration.
  • Off-chain quorum and governance rules are cryptographically enforced in trusted execution environments.
  • Key ceremonies, associated scripts, and back-ups integrity are audited by external experts.
security_img

Infrastructure Security

  • Taurus’ infrastructure runs on data centers in Switzerland with banking-grade security controls.
  • All our IT systems are subject to access control and monitoring enforcing segregation of duties.
  • We leverage industry-leading services to mitigate DDoS and detect threats.
  • All our systems require 2FA authentication, use secure channels based on TLS 1.3 or state-of-the-art VPN.

Internal Controls

  • Taurus implements the three lines of defense model, composed of process owners, risk & compliance, internal & external audit.
  • Our procedures regarding vulnerability management, access control, change management, incident management, and BCP/DRP are regularly audited.
  • All our staff undergoes background checks, security training, risk and compliance.
  • Our software development lifecycle (SDLC) includes audit, fuzz testing, and automated tools discovery of security or privacy leaks.

Security Audits

  • We hire world-class teams to review our code and attempt to compromise our systems.
  • The HSM and its firmware extension are regularly audited for security defects and misconfiguration.
  • The user-facing web application and underlying infrastructure undergo regular application penetration testing.
  • Our audited build system certifies that a binary was built from a given source code version.

Security Research

  • Taurus’ internal research unit “Taurus Labs” performs research projects and collaborates with a network of world-class researchers.
  • We publish open-source software, research articles, and give talks at top tier global events.
  • Taurus has helped leading blockchain organizations to strengthen their security protocols.
taurus_labs
security_logos

Compliance and certifications

FINMA Securities Firm license,
which allows us to operate TDX
ISAE 3402 Type II, regarding risk
assurance and internal controls
FIPS 140-2 Level 3,
regarding HSM devices
CMTA DACS, regarding custody
procedure and technology security

Contacting us

For any inquiries related to security, please contact [email protected]

Identifying Phishing

Phishing can come from unsolicited email messages (the most common), but also from SMS, links to fake websites posted online, or malicious documents shared by your contacts.

To identify a phishing content, look out for the following “features”, in that order:

  • Sense of urgency
  • Timing (unexpected)
  • Origin (sender, site URL)

If you think that you are being “pushed“ into something, then you should check it twice before following instructions.

Good phishing can look very similar to a legitimate content. In any case, never send your credentials over email or on a different website than the original TDX, and in case of a doubt please contact us at [email protected].

Reporting Phishing

To report phishing, please email [email protected] with “Phishing report” as the subject, and include a copy of the message received (email with message headers, SMS screenshot with sender number) and/or any files or URL associated.

We will then investigate your report and take action to mitigate the risk for other users.

Support Scam Prevention

If you receive a phone call from someone that claims to be from Taurus and asks you for information or to perform certain actions, it could be a scammer trying to trick you in compromising your account or devices. If you receive a suspicious call, you can request to validate it as follows:

  • Send an email to [email protected] with a random phrase, not disclosed to the caller.
  • Ask the caller to tell you the phrase in the mail, over the phone or as a response to the email.

This way, you can obtain reasonable assurance that the caller received the email sent to [email protected] and is a legitimate person from Taurus.

There are a number of things however that Taurus staff would NEVER DO:

  • Ask you for your password.
  • Ask you to transfer funds to another account.
  • Ask for remote access to your computer.
  • Ask you to pay a fine or a fee to them or a third party.
  • Ask you to register personal details in an attachment or website online.

Reporting Vulnerabilities

We welcome reports from security researchers about potential vulnerabilities impacting TDX. Our vulnerability disclosure policy is the following: We will not take action against anyone who reports an issue in a responsible manner. We will do our best to reply to you in a timely fashion and periodically update you on our progress with respect to investigating or remediating any issues you may have identified.

To report a vulnerability, please email your report at [email protected]. We encourage you to encrypt your message, using the following PGP key:

  1. -----BEGIN PGP PUBLIC KEY BLOCK-----
  2.  
  3. mDMEX3G3ARYJKwYBBAHaRw8BAQdA7sQCSqSkAmGylsLRJepXuAZKkcWA+EWRPeGa
  4. 22cIXYC0KVRhdXJ1cyBTZWN1cml0eSA8c2VjdXJpdHlAdGF1cnVzZ3JvdXAuY2g+
  5. iJAEExYIADgFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQQ0q1qzH0uLrdBgWQWf
  6. aUpuIE2KEAUCYOVKQwIbIwAKCRCfaUpuIE2KEEerAP9RiGFo932uc/dFhPmVU5Qm
  7. hhHbAWLt3CxeHWAztOVAgAEAw68wXxpa5NURAzZ2Qx9m8POwQjKNp7E2dA1cRRPA
  8. wQ2YMwRg5V8AFgkrBgEEAdpHDwEBB0CGZgfupQUEjQmiY/aCYEdeKqh8U6uLdxt+
  9. t+xf5cNeJ7QpVGF1cnVzIFNlY3VyaXR5IDxzZWN1cml0eUB0YXVydXNncm91cC5j
  10. aD6IkAQTFggAOBYhBPhEpYINIeMoGsBzFGodmG7oyiNkBQJg5V8AAhsDBQsJCAcC
  11. BhUKCQgLAgQWAgMBAh4BAheAAAoJEGodmG7oyiNkyDkA/iLFlVbP008qIz3tqkUn
  12. ExG1zc9YbJVu9oQdLmixNkWkAPwKpwXSkYiMXds9NoO8lMt6dbVtkjhhVp8fnbyY
  13. i9bCDrg4BGDlXwASCisGAQQBl1UBBQEBB0AjHYntohFgtCX+B2O37enowSn6DCjc
  14. Ni3JfkpLp19nKQMBCAeIeAQYFggAIBYhBPhEpYINIeMoGsBzFGodmG7oyiNkBQJg
  15. 5V8AAhsMAAoJEGodmG7oyiNkJ/EA/iAKT8FOeNdXmx3LhOcw9stV4AZYyQgUqFgZ
  16. kOCSrfYUAQDOt/xVpVawvcAbVTAk7C3QuV9+i4aJFMDFBR2xXxVBDA==
  17. =Wytk
  18.  
  19. -----END PGP PUBLIC KEY BLOCK-----