Security & Privacy
- Our wallets store secrets and perform key derivation and signature in HSMs certified FIPS 140-2 Level 3.
- HSM are strengthened with a firmware extension developed by Taurus, to implement additional security controls and enforce secure HSM configuration.
- Off-chain quorum and governance rules are cryptographically enforced in trusted execution environments.
- Key ceremonies, associated scripts, and back-ups integrity are audited by external experts.
- Taurus’ infrastructure runs on data centers in Switzerland with banking-grade security controls.
- All our IT systems are subject to access control and monitoring enforcing segregation of duties.
- We leverage industry-leading services to mitigate DDoS and detect threats.
- All our systems require 2FA authentication, use secure channels based on TLS 1.3 or state-of-the-art VPN.
- Taurus implements the three lines of defense model, composed of process owners, risk & compliance, internal & external audit.
- Our procedures regarding vulnerability management, access control, change management, incident management, and BCP/DRP are regularly audited.
- All our staff undergoes background checks, security training, risk and compliance.
- Our software development lifecycle (SDLC) includes audit, fuzz testing, and automated tools discovery of security or privacy leaks.
- We hire world-class teams to review our code and attempt to compromise our systems.
- The HSM and its firmware extension are regularly audited for security defects and misconfiguration.
- The user-facing web application and underlying infrastructure undergo regular application penetration testing.
- Our audited build system certifies that a binary was built from a given source code version.
- Taurus’ internal research unit “Taurus Labs” performs research projects and collaborates with a network of world-class researchers.
- We publish open-source software, research articles, and give talks at top tier global events.
- Taurus has helped leading blockchain organizations to strengthen their security protocols.
For any inquiries related to security, please contact [email protected]
Phishing can come from unsolicited email messages (the most common), but also from SMS, links to fake websites posted online, or malicious documents shared by your contacts.
To identify a phishing content, look out for the following “features”, in that order:
- Sense of urgency
- Timing (unexpected)
- Origin (sender, site URL)
If you think that you are being “pushed“ into something, then you should check it twice before following instructions.
Good phishing can look very similar to a legitimate content. In any case, never send your credentials over email or on a different website than the original TDX, and in case of a doubt please contact us at [email protected].
To report phishing, please email [email protected] with “Phishing report” as the subject, and include a copy of the message received (email with message headers, SMS screenshot with sender number) and/or any files or URL associated.
We will then investigate your report and take action to mitigate the risk for other users.
Support Scam Prevention
If you receive a phone call from someone that claims to be from Taurus and asks you for information or to perform certain actions, it could be a scammer trying to trick you in compromising your account or devices. If you receive a suspicious call, you can request to validate it as follows:
- Send an email to [email protected] with a random phrase, not disclosed to the caller.
- Ask the caller to tell you the phrase in the mail, over the phone or as a response to the email.
This way, you can obtain reasonable assurance that the caller received the email sent to [email protected] and is a legitimate person from Taurus.
There are a number of things however that Taurus staff would NEVER DO:
- Ask you for your password.
- Ask you to transfer funds to another account.
- Ask for remote access to your computer.
- Ask you to pay a fine or a fee to them or a third party.
- Ask you to register personal details in an attachment or website online.
We welcome reports from security researchers about potential vulnerabilities impacting TDX. Our vulnerability disclosure policy is the following: We will not take action against anyone who reports an issue in a responsible manner. We will do our best to reply to you in a timely fashion and periodically update you on our progress with respect to investigating or remediating any issues you may have identified.
To report a vulnerability, please email your report at [email protected]. We encourage you to encrypt your message, using the following PGP key:
- -----BEGIN PGP PUBLIC KEY BLOCK-----
- -----END PGP PUBLIC KEY BLOCK-----