Skip to main content

Security Roadmap

Security & Compliance describes the architecture as built. This page states the verification and coverage layers on top of it -- what exists, what is committed but not yet funded, and why the honest gap is more credible than an inflated claim.

Third-party security audit

Status: not yet completed. No formal third-party penetration test or code audit has been performed as of this writing. This is a known gap, not an oversight -- a credible audit from a named firm is a planned use of raised capital, scheduled for the period immediately following close, before any expansion of assets under management on the platform. A platform handling exchange API credentials (even non-custodially) should not claim audit coverage it does not have.

Bug bounty

Status: informal only. ChimeraMiND currently offers discretionary rewards for responsibly disclosed vulnerabilities (see chimeramind.com/security) rather than a formal, published bounty program. Listing on a crypto-native bounty platform (Immunefi) is planned alongside the third-party audit -- a formal program before an audit has happened would invite scrutiny the codebase hasn't been prepared for yet.

Insurance

Status: not yet in place. Errors & omissions and cyber-liability coverage are not currently held, consistent with pre-incorporation status (see Regulatory Posture for the entity-formation timeline). Coverage is scoped as a post-close operational item once a legal entity exists to hold the policy.

Why this page exists

A diligence team will ask these three questions regardless of whether they're answered here. Stating the honest current state -- including "not yet" -- with a specific plan attached is a stronger signal than silence or vague reassurance, and it is consistent with how Engineering Practice & Continuity argues its case: verifiable specifics, not claims that can't be checked.