Help center

Security at Routescore

How Routescore protects your account and data, what to report and where, our safe-harbor for researchers, and how we handle incidents — in plain language.

This is the plain-language version of how we think about security. The formal, canonical policy — scope, safe-harbor wording, and the machine-readable contact — lives on the security policy page and at /.well-known/security.txt.

Read-only and non-custodial by design

Routescore never holds your assets, never moves funds, and never needs a private key or seed phrase. The most powerful thing an attacker could do to a custodial app — drain a wallet — simply isn't in our threat model, because we have no custody to abuse. What we protect is your account, your data, and the integrity of our API.

What we protect

The things worth protecting here are your decision journal, your saved wallet metadata and reports, your billing and tier state, and the integrity of the public API and MCP server. Our security work is focused on making sure one user can never read or change another user's data, and that an API key or MCP client can never exceed the access of the account it belongs to.

How we keep it safe

  • Authorization on every object. Access to wallets, journal entries, scenarios, and reports is checked server-side against the account that owns them — not just hidden in the UI.
  • Server-enforced tiers. Paid features are gated on the server, and your tier is read fresh on each request, so access reflects your current subscription state.
  • Rate-limited public surfaces. Sign-in, the public API, and the MCP server carry rate limits to blunt abuse and enumeration.
  • Tamper-evident records. Journal entries are hash-recorded, so your decision history stays a trustworthy record of what you actually decided.
  • Encrypted in transit, isolated secrets. Traffic is served over HTTPS, and application secrets live in our deployment platform — never in the code you can see, and never in your browser.

Found a vulnerability? Tell us

We run coordinated disclosure and offer a safe-harbor for good-faith researchers. If you think you have found a security issue, email [email protected] — we acknowledge within 24 hours.

Read the full scope, rules of engagement, and safe-harbor terms before you start, and only ever test against accounts and wallets you own. For sensitive reports you can encrypt to our published PGP key (linked from /.well-known/security.txt).

What makes a great report

A clear description, the exact URL or endpoint, reproduction steps or a proof-of-concept, and the impact you believe it has. Test accounts beat production. We credit researchers (with your consent) once an issue is fixed.

How we handle incidents

If something does go wrong, we follow a written, blameless process: detect, contain, eradicate, recover, and then publish a post-incident review that focuses on fixing the system, not blaming a person. Our incident and post-mortem template is public on GitHub, so you can see exactly how we'd respond — including how and when we'd tell affected users.

We will never ask for your seed phrase

No part of Routescore — not support, not an email, not a popup — will ever ask for your private key or seed phrase. If anything claiming to be us does, it is not us. Report it to [email protected].