№ 12 · Security

Security & disclosure.

posture · disclosure · bounty

Security is the product.

For an institutional venue, "security" is not a section in the documentation — it is the product. Below is a plain-English summary of ımyo's security posture and the way to reach us if you find something that should be fixed.

№ 12-A

Posture.

audit · edge · governance
  • Continuous AI audit. Auditor swarm (static analysis, formal verification, economic-attack simulation) gates every code change before deployment. Sentinel swarm runs 24/7 post-deployment with anomaly detection and oracle vigilance across 10+ feeds. Both run inside Trusted Execution Environments, with cryptographic attestations. See /ai-audit/.
  • Conventional audits, additionally. Third-party audits will be published on launch and on every contract revision thereafter. The AI ecosystem is additive, not a substitute.
  • Edge defence. Cloudflare WAF, L7 DDoS protection, DNSSEC-backed DNS, and Workers AI for sub-second anomaly detection on transaction intent before it reaches the chain.
  • Guardian governance. 7-of-11 multisig with AI attestation gate and on-chain timelock for any emergency action. See Guardian.
  • Siloed liquidity. No cross-chain collateral or receipt-token dependencies. A failure on one silo cannot drain the other.
№ 12-B

Responsible disclosure.

scope · contact · safe harbour

If you have found a vulnerability, please write to security@imyo.com with a clear description and reproduction steps. We acknowledge receipt within one business day and aim to triage within three.

Scope.

  • Smart contracts deployed under the ımyo programme on Sui and Ethereum mainnets and any active testnet.
  • The imyo.com domain, its subdomains, and Cloudflare Worker endpoints under the imyo account.
  • Off-chain components that participate in the protocol's critical path (oracle relay, attestation verification, reporting API).

Out of scope.

  • Third-party services (Cloudflare, Securitize, Chainlink, Pyth, etc.) — please report directly to the relevant vendor.
  • Social-engineering attacks against staff or third-party service providers.
  • Denial-of-service findings on unauthenticated public endpoints unless they bypass Cloudflare protections.

Safe harbour.

Researchers acting in good faith under this policy are protected from legal action by ımyo. Do not access user data, do not pivot beyond the minimum necessary to demonstrate the issue, and do not publicly disclose the finding until we have had a reasonable opportunity to remediate. Rewards will be paid for material findings; the bug-bounty schedule will be published at mainnet.

№ 12-C

Direct contact.

access

Security: security@imyo.com

For general institutional access, use info@imyo.com or the form below.

Verified domains only
Received — now check your inbox and confirm the request. We respond within five business days.