Security Policy
π Security at NoTap
Security is our top priority. NoTap is designed with security-first principles to protect user authentication data and prevent unauthorized access.
π Reporting a Vulnerability
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
How to Report
π§ Email: [email protected]
Please Include:
Description of the vulnerability
Steps to reproduce the issue
Potential impact assessment
Suggested fix (if available)
Your contact information
What to Expect
Acknowledgment: We'll acknowledge your report within 24 hours
Investigation: We'll investigate and provide updates within 72 hours
Resolution: We'll work on a fix and coordinate disclosure timeline
Credit: We'll credit you in the security advisory (unless you prefer to remain anonymous)
Responsible Disclosure
Please give us reasonable time to fix vulnerabilities before public disclosure. We typically aim for:
Critical vulnerabilities: 7-14 days
High severity: 30 days
Medium/Low severity: 60-90 days
π‘οΈ Security Features
Cryptographic Standards
NoTap uses industry-standard cryptography:
Hashing: SHA-256 for all authentication factor digests
Key Derivation: PBKDF2 with 100,000 iterations
Encryption: AES-256-GCM for data encryption
Transport: TLS 1.3 for all network communication
Key Rotation: Daily HKDF rotation for enhanced security
Attack Resistance
NoTap is designed to resist common attacks:
β Timing Attacks - Constant-time comparison for all factors
β Replay Attacks - Nonce validation and session expiry
β Brute Force - Multi-layer rate limiting and account lockout
β Man-in-the-Middle - TLS 1.3 and certificate pinning
β Memory Dumps - Automatic memory wiping of sensitive data
β Device Tampering - Anti-root/jailbreak detection
Privacy Protection
β Zero-Knowledge Proofs - Merchants never see which factors you used
β No Biometric Storage - Only cryptographic hashes stored
β 24-Hour TTL - Authentication data auto-expires daily
β GDPR Compliant - Privacy by design, right to erasure
π Security Best Practices
For Developers Integrating NoTap
API Key Security
Never commit API keys to version control
Use environment variables or secure vaults
Rotate keys regularly (every 90 days recommended)
Use different keys for development/staging/production
HTTPS Only
Always use HTTPS for all API communication
Never send authentication data over HTTP
Implement certificate pinning for production apps
Input Validation
Validate all user inputs before sending to NoTap SDK
Sanitize data to prevent injection attacks
Implement proper error handling
Secure Storage
Use platform-specific secure storage (Keychain/KeyStore)
Never store authentication factors in plain text
Clear sensitive data from memory after use
For End Users
Device Security
Use device lock screen (PIN/biometric)
Keep your device OS updated
Don't use NoTap on rooted/jailbroken devices
Factor Selection
Choose strong, unique authentication factors
Don't reuse PINs/patterns from other services
Enroll 6+ factors from multiple categories
Account Monitoring
Check your NoTap authentication history regularly
Report suspicious activity immediately
Revoke access for lost/stolen devices
π Compliance
Standards & Regulations
NoTap complies with:
PSD3 SCA - Strong Customer Authentication (EU Payment Directive)
GDPR - General Data Protection Regulation
OWASP Top 10 - Web application security risks mitigated
NIST Cryptographic Standards - FIPS 140-2 compliant algorithms
π Security Resources
Documentation
Security Analysis - Detailed threat model
Integration Guide - Secure integration patterns
API Reference - Security considerations per endpoint
External Resources
π Contact
Security Issues: [email protected]
General Security Questions: GitHub Discussions - Security
Emergency Security Contact: +1-XXX-XXX-XXXX (Enterprise customers only)
β
Security Commitment
We commit to:
Transparency - Publicly disclose security issues (after fixes)
Rapid Response - Acknowledge reports within 24 hours
Regular Audits - Annual third-party security audits
Continuous Improvement - Ongoing security enhancements
Community Collaboration - Work with security researchers
Last Updated: December 5, 2025
Thank you for helping keep NoTap secure! π
Last updated