Security at mintus

Last updated: 2026-05-21 · See also /.well-known/security.txt.

Our approach

Security is a foundational property of the mintus platform, not an afterthought. Because we operate critical infrastructure — voucher liabilities backed by Merchant credit and held by Consumers — we treat security as a first-order engineering concern, with continuous testing, third-party audits and a clear vulnerability-disclosure program.

Platform controls

• Encryption. TLS in transit; AES-256 (or stronger) at rest for personal data.
• Key management. Consumer keys are protected by hardware-backed secure storage on the device (iOS Secure Enclave / Android Keystore) and supplemented by threshold cryptography for recovery. Operational keys are stored in HSM-backed key-management systems.
• Access control. Least-privilege access, mandatory multi-factor authentication for all staff with production access, and time-bounded just-in-time elevation for sensitive operations.
• Audit logging. Every administrative action is logged immutably and retained for security review.
• Vulnerability management. Continuous dependency scanning, automated container/image scanning, and a remediation SLA tied to severity (critical: 24 h; high: 7 d; medium: 30 d).
• Penetration testing. Independent third-party penetration tests on application, network and smart-contract layers, repeated at least annually.
• Smart-contract audits. Voucher contract templates are audited by reputable firms; reports are made available to qualifying partners under NDA.
• Incident response. A documented IR plan with notification timelines aligned to GDPR Article 33 (72 hours) and equivalent obligations in other jurisdictions.

Responsible disclosure

If you believe you have found a security vulnerability in the Services, please report it to security@mintus.world. We acknowledge new reports within 72 hours.

Scope

The following are in scope:

• mintus Wallet and Cashier apps for iOS and Android (latest store version)
• Enterprise Console at console.mintus.world
• This website and *.mintus.world subdomains under our control
• Public mintus voucher smart-contract templates

Out of scope

• Denial-of-service or volumetric testing
• Social engineering of mintus staff or vendors
• Physical attacks against our offices or data centres
• Third-party services not operated by us
• Findings that require physical access to a user's unlocked device

Safe-harbour commitment

If you make a good-faith effort to comply with this policy during your security research, we will:

• not pursue or support legal action against you;
• work with you to understand and resolve the issue quickly;
• credit you publicly if you wish, once the issue is fixed.

Bug bounty

We are evaluating a public bug-bounty program. In the meantime, we offer discretionary rewards for high-impact findings. Eligibility and amount are at our sole discretion.

Stay informed

Security advisories are published on this page and, where relevant, communicated directly to affected users. For broader announcements, see our official channels.