Security
Ficha is built so that control never leaves you. If you believe you have found a security vulnerability, we want to hear from you.
Responsible disclosure
We follow responsible disclosure practices and ask that you:
- Report the issue to us before disclosing it publicly.
- Give us enough detail to reproduce and verify it.
- Allow reasonable time for us to address it before any disclosure.
- Avoid accessing, changing, or deleting data that is not yours.
How to reach us
Email us at security@ficha.com.
For sensitive reports, encrypt your message with our PGP public key.
Our security contact is also published as a security.txt (RFC 9116).
What Ficha will never do
To keep you safe:
- We will never ask for your keys, recovery details, or passwords.
- We will never contact you out of the blue about moving your funds.
- We will never pressure you into a rushed transaction.
- We do not give investment advice or tell you when to buy or sell.
If you receive a message claiming to be from Ficha that breaks these rules, do not respond, and report it to security@ficha.com.