Security Disclosure & Bug Bounty
Toii Social LLC · legal@gao.global — Subject: [SECURITY] · Last updated: March 31, 2026
Security is the foundation of Gaokey. We build to the IronClaw Security Standard — an internal framework that enforces non-custodial architecture, on-device key management, and zero OTA updates. We take all security reports seriously and commit to responding quickly and transparently.
Responsible Disclosure Policy
Toii Social LLC operates a responsible disclosure program. We ask that security researchers:
- Report privately first. Do not publish or share vulnerability details publicly before we have had the opportunity to investigate and remediate.
- Give us reasonable time. We request a minimum of 90 days to investigate, remediate, and release a fix before public disclosure.
- Do not exploit vulnerabilities. Do not access, modify, or exfiltrate user data. Do not use vulnerabilities to perform transactions, access wallets, or disrupt service.
- Act in good faith. Comply with all applicable laws. We will not pursue legal action against researchers who follow this policy in good faith.
In return, we commit to:
- Acknowledging your report within 72 hours
- Providing a status update within 7 business days
- Notifying you when the vulnerability is resolved
- Crediting you publicly (if you choose) upon fix release
How to Report
Email: legal@gao.global
Subject line: [SECURITY] Brief description
Include in your report:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Affected component (iOS / Android / backend / protocol)
- Any proof-of-concept (do not include live exploit code)
Scope
In Scope
| Target | Description |
|---|---|
| Gaokey iOS app | io.gaokey.app — App Store distribution |
| Gaokey Android app | io.gaokey.app — Google Play distribution |
| key.gao.global | Landing page and legal documents |
| Passkey / FIDO2 | Authentication flow implementation |
| Key generation & storage | Secure Enclave / Android Keystore usage |
| x402 payment protocol | Payment flow integration |
Out of Scope
- Third-party services (Expo EAS, Apple, Google)
- Blockchain networks themselves (Ethereum, Base, etc.)
- Social engineering attacks
- Physical device attacks
- Denial of service (DoS/DDoS)
- Reports from automated scanners without proof of concept
- Issues in dependencies outside our control
Bug Bounty Program
Status: Pre-Mainnet — Bounty program activates at mainnet launch.
Upon mainnet launch, Gaokey will operate a formal bug bounty program. Reward tiers:
| Severity | Description | Reward (USD) |
|---|---|---|
| Critical | Remote key extraction, seed phrase exposure, unauthorized transaction signing | $5,000 – $20,000 |
| High | Authentication bypass, privilege escalation, wallet takeover | $1,000 – $5,000 |
| Medium | Data leakage, insecure storage of non-key data, significant logic errors | $250 – $1,000 |
| Low | Minor information disclosure, UI deception, non-exploitable issues | $50 – $250 |
Reward amounts are determined by Toii Social LLC at our sole discretion based on severity and exploitability, quality and completeness of the report, and novelty of the finding.
Severity Definitions
Vulnerabilities that allow an attacker to extract private keys, seed phrases, or sign transactions without user authorization. These represent an existential threat to user funds and identity.
Vulnerabilities that allow an attacker to gain unauthorized access to wallet functionality, bypass authentication, or impersonate a user’s identity.
Vulnerabilities that expose non-critical user data, allow information leakage that could facilitate further attacks, or cause significant incorrect application behavior.
Minor issues that do not directly threaten user security but represent deviations from best practice.
IronClaw Security Standard
Gaokey is built to the IronClaw Security Standard, which defines our minimum security baseline:
- No OTA updates. All code updates are delivered through App Store and Google Play only.
- On-device key storage. Private keys never leave the device’s hardware-backed secure storage.
- No remote credentials. Signing credentials are never stored on servers.
- Credential source: remote (EAS). Build signing credentials are stored encrypted on Expo servers, never committed to repositories.
- Zero secrets in code. Automated checks prevent secrets from being committed to any repository.
IronClaw Security Standard is an internal framework and does not constitute a formal third-party certification.
Known Limitations (Pre-Mainnet)
- No independent audit completed. An external third-party security audit is planned prior to mainnet launch. Audit results will be published publicly.
- Pre-mainnet software. Do not use with real funds until audit completion.
- x402 protocol. The x402 payment protocol is experimental and has not been independently audited.
Hall of Fame
Researchers who responsibly disclose valid security issues will be recognized here upon fix release (with their permission).
Legal Safe Harbor
Toii Social LLC will not pursue civil or criminal action against security researchers who:
- Discover and report vulnerabilities in accordance with this policy
- Act in good faith and do not exploit vulnerabilities beyond proof-of-concept
- Comply with all applicable laws
- Do not access, modify, or retain user data beyond what is necessary to demonstrate the vulnerability
Contact
legal@gao.global — Subject: [SECURITY]