Trust & Safety

Security is our
foundation, not a feature

Every architecture decision starts with security. Here's exactly how we protect your funds and your data — with no vague promises.

SSL A+
TLS 1.3
CSRF
Protected
SQLi
Prevented
XSS
Mitigated
Overview

Defence in depth

We don't rely on a single security measure — we implement overlapping layers. An attacker who breaches one layer faces multiple more. This is called defence in depth, and it's the standard for financial platforms.

Every API endpoint validates CSRF tokens, sanitizes input, uses prepared statements, and enforces authentication. Sensitive data is never logged, never stored in plaintext, and never transmitted without encryption.

Our commitment: We conduct regular security reviews, update dependencies promptly, and maintain a responsible disclosure program for external researchers.
Cybersecurity

Transport & Encryption

256-bit SSL/TLS Encryption
All traffic uses AES-256 encryption. We enforce TLS 1.2+ and reject older protocols. Your card details, passwords, and session data never travel unencrypted.
HTTPS Everywhere + HSTS
All pages are served over HTTPS. HTTP connections are auto-redirected. We use HSTS headers with a long max-age to prevent protocol downgrade attacks permanently.
Encrypted at Rest
API keys and sensitive configuration are encrypted at rest. Passwords use bcrypt with work factor 12 — computationally impractical to brute-force even with a database breach.
Bcrypt Password Hashing
We use PHP's password_hash() with PASSWORD_BCRYPT at cost factor 12. Even if our database were stolen, plaintext passwords cannot be recovered in any practical timeframe.

Application Security (OWASP Top 10)

We systematically address every item in the OWASP Top 10 — the industry standard checklist for web application security.

A01
Broken Access Control
All authenticated routes verify session ownership. Admin routes are separately gated. API endpoints enforce user-ownership on every record query.
Mitigated
A02
Cryptographic Failures
No sensitive data stored in plaintext. All passwords hashed with bcrypt. API keys encrypted. TLS enforced on all connections.
Mitigated
A03
SQL Injection
Every database query uses PDO prepared statements with bound parameters. No string interpolation in SQL. Ever.
Mitigated
A07
Identification & Authentication
Session tokens are server-side only, regenerated on login, and expire on inactivity. Logout fully destroys the session.
Mitigated
A08
Software & Data Integrity
CSRF tokens on all state-changing requests. Webhook payloads are verified. Dependency updates are reviewed before deployment.
Mitigated
A05
Security Misconfiguration
Error messages never expose stack traces to users. Server headers are hardened. Debug mode is disabled in production.
Mitigated

Financial Controls

No Card Data Stored
Card numbers and CVVs entered on the Buy page are processed in real-time only. We never write raw card data to disk or database at any point.
Withdrawal Approval Flow
All withdrawals require explicit admin approval before broadcasting. Anomalous patterns (unusual destination, unusual amount) trigger manual review.
Atomic Database Transactions
Balance updates use database transactions with rollback on failure. It is impossible for funds to be deducted without being credited, or vice versa.
Transaction Limits
Daily and per-transaction limits prevent large-scale account compromise scenarios. Limits scale with account history and verification status.

Your role in account security

Platform security and personal security work together. Here's how to protect your account from your side:

Use a unique password
Never reuse a password from another service. Use a password manager like 1Password or Bitwarden.
Verify your email
Email verification unlocks all platform features and is required to recover your account.
Double-check wallet addresses
Crypto transactions are irreversible. Always verify the full destination address before confirming a withdrawal.
Log out on shared devices
Our sessions expire automatically, but manually logging out is safer on public computers.
Watch for phishing
We only operate on our official domain. We will never ask for your password via email or support chat.
Report suspicious activity
If you notice any transactions you didn't make, contact security@cryptooutsiders.com immediately.

Found a vulnerability?

We operate a responsible disclosure program. If you discover a security issue, please report it privately. We respond within 24 hours, fix it promptly, and credit researchers who help us improve.

Please don't exploit vulnerabilities or access other users' data. We ask for coordinated disclosure to protect users during the fix window.

Report a Vulnerability
security@cryptooutsiders.com