1. Our Commitment to Security

At WeAD, security is foundational to everything we build. As a platform that handles digital advertising, blockchain tokens, and user data, we recognize the critical importance of maintaining robust security practices across every layer of our infrastructure.

We are committed to:

• Protecting user data and digital assets through industry-standard security measures.
• Continuously improving our security posture as threats evolve.
• Being transparent about our security practices and promptly disclosing incidents.
• Following SOC 2 principles and Web3 security best practices.
• Maintaining compliance with GDPR, CCPA, and other applicable security regulations.

2. Transport Security

All communications between your browser and the WeAD Platform are encrypted and secured:

• TLS/HTTPS — All connections to wead.live are encrypted using TLS (Transport Layer Security). HTTP requests are automatically redirected to HTTPS.
• Certificate Management — We use industry-standard SSL/TLS certificates that are regularly renewed and monitored for expiration.
• Secure Headers — We implement security headers including Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, and Strict-Transport-Security (HSTS) to protect against common web vulnerabilities.
• API Security — All API endpoints require authentication and are served exclusively over HTTPS. API requests include CORS (Cross-Origin Resource Sharing) protections.

3. Authentication Security

The Platform implements multiple layers of authentication security across different sign-in methods:

3.1 Email/OTP Authentication

• One-Time Passwords (OTPs) are 6-digit codes sent to your registered email address.
• OTP codes expire after 10 minutes and can only be used once.
• Rate limiting is applied to OTP requests to prevent brute-force attacks.
• OTPs are securely generated using cryptographically strong random number generation.

3.2 JWT Token Security

• JSON Web Tokens (JWT) are issued upon successful authentication.
• Tokens expire after 7 days and must be refreshed via re-authentication.
• Tokens are signed using secure algorithms to prevent tampering.
• Token validation is performed on every authenticated API request.

3.3 Flask Session Security

• Server-side sessions use cryptographically signed cookies.
• Session cookies are configured with Secure (HTTPS only), SameSite: Lax (CSRF protection), and HttpOnly flags.
• Sessions expire after 7 days of inactivity.

3.4 MetaMask Wallet Authentication

• Wallet connection uses the standard Ethereum provider API (EIP-1193).
• Signature verification ensures that wallet connections are initiated by the actual wallet owner.
• No private keys are ever transmitted to or stored by the WeAD Platform.

3.5 Google / Firebase OAuth 2.0

• Google Sign-In is handled through Firebase Authentication, leveraging Google's enterprise-grade security infrastructure.
• OAuth 2.0 tokens are managed by Firebase and never directly handled by WeAD's backend.
• We request minimal scopes (email and profile) to reduce the attack surface.

4. Smart Contract Security

The WeAD ecosystem relies on smart contracts deployed on BNB Chain. We take the following measures to ensure their security:

4.1 WEAD Token Contract (BEP-20)

• Built on the standard ERC-20/BEP-20 token implementation, which is widely audited and battle-tested.
• Contract source code follows established patterns to minimize vulnerability risk.
• Token contract functionality is limited to standard transfer, approval, and balance operations.

4.2 Ad Viewing Contract

• Manages the verification and reward distribution for Microtiser ad displays.
• Includes safeguards against common attack vectors (reentrancy, integer overflow, unauthorized access).
• Reward calculations are performed on-chain for transparency and auditability.

4.3 Cross-Chain Bridge

• Bridge contracts facilitate WEAD token transfers between supported chains.
• Multi-signature requirements and time-lock mechanisms are implemented for high-value operations.

4.4 Audit Commitment

5. Infrastructure Security

Our server infrastructure is secured through multiple layers of protection:

• Server Hardening — Production servers run hardened operating systems with unnecessary services disabled, default credentials changed, and security patches applied promptly.
• Process Management — The application runs under PM2 process manager, providing automatic restart on failure, log management, and process monitoring.
• Rate Limiting — API endpoints are protected by rate limiting to prevent abuse, denial-of-service attacks, and brute-force attempts.
• Firewall Configuration — Server firewalls restrict inbound connections to necessary ports only (HTTPS, SSH with key-based authentication).
• Access Control — Server access is restricted to authorized personnel via SSH key-based authentication. Password-based SSH access is disabled.
• Monitoring & Alerting — System health, error rates, and suspicious activity are monitored. Alerts are triggered for anomalous behavior.

6. Data Protection

We implement comprehensive data protection measures:

• Encryption in Transit — All data transmitted between clients and servers is encrypted using TLS 1.2 or higher.
• Encryption at Rest — Sensitive data stored on our servers is encrypted using industry-standard encryption algorithms.
• Minimal Data Collection — We follow data minimization principles, collecting only the data necessary to provide our services (see our Data Use Policy).
• Access Controls — Internal access to user data is restricted on a need-to-know basis with role-based access controls.
• Data Segregation — User data, application data, and system logs are stored in separate data stores with independent access controls.
• Backup Security — Data backups are encrypted and stored securely with limited access.

7. Fraud Prevention

As an advertising platform with token economics, fraud prevention is critical to maintaining ecosystem integrity:

• Interaction Verification — Ad views and interactions are verified through multiple signals including device fingerprinting, behavioral analysis, and location confirmation.
• Device Fingerprinting — We use device fingerprinting techniques to detect bot traffic and prevent automated fake engagement. This is done in compliance with privacy regulations and disclosed in our Privacy Policy.
• Anomaly Detection — Machine learning and rule-based systems monitor for unusual patterns that may indicate fraudulent activity, such as impossibly fast interactions, geographic inconsistencies, or abnormal viewing patterns.
• GPS Spoofing Detection — Multiple location verification methods are employed to detect GPS spoofing attempts by Microtisers.
• Rate Limiting — Token reward claims and ad interactions are rate-limited to prevent abuse.
• Account Suspension — Accounts found to be engaging in fraudulent activity are immediately suspended, and earned rewards may be forfeited.

8. User Responsibilities

Security is a shared responsibility. As a WeAD user, you play an important role in protecting your account and assets:

8.1 Wallet Security

• Private Key Protection — Never share your MetaMask private key, seed phrase, or recovery words with anyone, including WeAD staff. We will never ask for your private key.
• Hardware Wallets — For significant token holdings, consider using a hardware wallet (e.g., Ledger, Trezor) for additional security.
• Transaction Verification — Always verify transaction details (recipient address, amount, gas fees) before confirming transactions in MetaMask.

8.2 Account Security

• Unique Email — Use a unique, secure email address for your WeAD account.
• Email Security — Keep your email account secure with strong passwords and two-factor authentication, as OTP codes are sent to your email.
• Phishing Awareness — Be cautious of phishing attempts. Official WeAD communications only come from @viewfi.live email addresses. Always verify the URL is wead.live before signing in.
• Session Management — Log out of the Platform when using shared or public devices.

8.3 Reporting Suspicious Activity

If you notice suspicious activity on your account or encounter potential security issues, report them immediately to wead@viewfi.live.

9. Incident Response

WeAD maintains an incident response plan to handle security breaches and incidents effectively:

• Detection & Assessment — Security incidents are detected through monitoring systems and user reports. Each incident is assessed for severity and scope.
• Containment — Immediate steps are taken to contain the incident and prevent further damage.
• Notification — In compliance with GDPR (Article 33), we will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach. Affected users will be notified without undue delay when the breach is likely to result in a high risk to their rights and freedoms.
• Remediation — Root cause analysis is conducted, and fixes are implemented to prevent recurrence.
• Post-Incident Review — After resolution, a thorough review is conducted to improve our security measures and incident response procedures.

10. Vulnerability Reporting

We value the security research community and encourage responsible disclosure of vulnerabilities:

10.1 Responsible Disclosure Guidelines

• Report vulnerabilities to wead@viewfi.live with the subject line "VULNERABILITY REPORT."
• Provide sufficient detail for us to reproduce and understand the vulnerability.
• Allow reasonable time for us to investigate and address the issue before public disclosure.
• Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue.
• Do not access, modify, or delete other users' data.

10.2 Scope

The following are in scope for vulnerability reports:

• The wead.live website and API endpoints.
• WeAD smart contracts deployed on BNB Chain.
• Authentication and authorization mechanisms.
• Data exposure vulnerabilities.

10.3 Recognition

We appreciate responsible security researchers. Valid vulnerability reports may be acknowledged publicly (with your permission) and may qualify for bug bounty rewards at our discretion. We will not pursue legal action against researchers who follow these responsible disclosure guidelines.

11. Third-Party Security

We assess the security practices of third-party services integrated into the Platform:

• Vendor Assessment — Third-party services (Firebase, Resend, Google Maps) are evaluated for their security certifications, data handling practices, and compliance with industry standards before integration.
• Minimal Permissions — Third-party integrations are configured with the minimum permissions necessary for their intended function.
• Regular Review — We periodically review our third-party integrations to ensure they continue to meet our security requirements.
• CDN Security — Client-side libraries (Chart.js, Font Awesome, Leaflet) are loaded from reputable CDNs with integrity checks where supported.

12. Contact

For security-related inquiries, vulnerability reports, or incident reports, please contact us:

• General Security Inquiries: wead@viewfi.live
• Vulnerability Reports: wead@viewfi.live (Subject: VULNERABILITY REPORT)
• Security Incidents: wead@viewfi.live (Subject: SECURITY INCIDENT)
• Website: wead.live

We aim to acknowledge security reports within 48 hours and provide an initial assessment within 5 business days.