Responsible Disclosure

Last Updated: April 13, 2026

Coinomi values the work done by security researchers in improving the security of our products and service offerings. We are committed to working with the community to verify, reproduce, and respond to legitimate reported vulnerabilities. We encourage the community to participate in our responsible disclosure process.

Reporting a Vulnerability

If you are a security researcher and would like to report a vulnerability, please send an email to: security@coinomi.com

Please provide your name, contact information, and company name (if applicable) with each report. Priority will be granted to encrypted reports — please include your PGP public key along with the report.

Download the Coinomi PGP key

Responsible Disclosure Guidelines

We will investigate legitimate reports and make every effort to quickly correct any confirmed vulnerability. To encourage responsible reporting, we commit that we will not take legal action against you or ask law enforcement to investigate you if you comply with the following guidelines:

  1. Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC).
  2. Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
  3. Do not modify or access data that does not belong to you.
  4. Give us a reasonable time to correct the issue before making any information public.
  5. We only accept reports for services provided exclusively by Coinomi and not by any third party.

We will make every effort to respond to your disclosure within 1–2 business days.

Disclosures that do not fully comply with the above guidelines will not be eligible for bounties or any of the assurances discussed herein.

Applications — In Scope

We are mainly interested in vulnerabilities that would allow attackers to compromise wallets and/or crypto assets from Coinomi applications.

In-scope vulnerabilities:

  1. Bypass of the PIN or biometrics, excluding functionality provided natively by the operating system
  2. Bypass of user confirmation to sign a transaction
  3. Sensitive data leaks via memory access, network traffic, local device storage, etc.
  4. Dependency tree / supply chain attacks
  5. Cryptography vulnerabilities related to BIP-39/32/44 derivation and elliptical curves

Out-of-scope for applications:

  1. Unencrypted Firebase service tokens
Websites — In Scope

We are interested in critical vulnerabilities in our infrastructure including front and backend.

Out-of-scope for websites:

  1. Presence/absence of SPF/DMARC records
  2. Lack of CSRF tokens
  3. Clickjacking and tabnagging issues
  4. Missing security headers that do not lead directly to a vulnerability
  5. Missing best practices (we require evidence of a security vulnerability)
  6. Reports from automated tools or scans
  7. Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept)
  8. Absence of rate limiting
  9. Outdated software without any noteworthy vulnerability
  10. Broken links
  11. Vulnerabilities in third-party services (e.g., Zendesk, X/Twitter) — report directly to them
Exchange Service — In Scope

For the Coinomi Exchange aggregator service, we are additionally interested in:

  1. Vulnerabilities that could allow manipulation of displayed exchange rates or fees
  2. Vulnerabilities that could redirect user funds to attacker-controlled addresses
  3. Vulnerabilities in the API integration layer with Exchange Partners
  4. Information leakage that could expose user transaction details beyond what is described in our Privacy Policy

Out-of-scope for the Exchange Service:

  1. Vulnerabilities in Exchange Partner systems (report directly to the Exchange Partner)
  2. Exchange rate discrepancies caused by market conditions or Exchange Partner API behavior
  3. Exchange Partner downtime or unavailability

© 2014–2026 Loksias SA. All rights reserved.