Security
Last updated: June 1, 2026. How XYBIT protects user assets, accounts, and data — from cold storage to bug bounty.
Security is the foundation of XYBIT. We have architected our platform on a defence-in-depth model — multiple independent layers of controls ensure that the compromise of any single layer does not result in a breach. Our security team operates 24×7 and continuously monitors for threats across infrastructure, application, and blockchain layers.
The majority of user crypto assets (>95%) are held in air-gapped cold storage wallets that are never connected to the internet. Cold wallets use hardware security modules (HSMs) with multi-signature authorisation, requiring multiple independent keyholders to approve any withdrawal.
A small operational float (<5% of assets) is maintained in hot wallets for day-to-day liquidity. Hot wallets are protected by multi-sig authorisation, IP whitelisting, transaction velocity limits, and real-time anomaly detection.
All INR funds deposited by users are held in segregated escrow accounts with scheduled commercial banks. User INR balances are never commingled with XYBIT operational funds.
XYBIT operates on a multi-region cloud infrastructure with automated failover and disaster recovery. All services run within private network segments with strict inbound and outbound firewall rules. No administrative ports are exposed to the public internet.
All public-facing endpoints are protected by an enterprise-grade DDoS mitigation service capable of absorbing large-scale volumetric attacks. Rate limiting and bot detection are enforced at the API gateway layer.
All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Database encryption keys are managed via a dedicated key management service (KMS) with automatic rotation. Sensitive fields such as PAN numbers and bank account details are additionally encrypted at the application layer.
External penetration tests are conducted bi-annually by certified ethical hackers. Our web application, mobile application, and API endpoints are all in scope. Critical findings are patched within 24 hours; high findings within 7 days.
All accounts are strongly encouraged to enable 2FA. We support TOTP-based authenticator apps (e.g., Google Authenticator, Authy). SMS-based 2FA is available as a secondary option. Accounts with 2FA enabled receive enhanced withdrawal protection.
Users can whitelist specific crypto withdrawal addresses. Once enabled, withdrawals can only be sent to whitelisted addresses. Any change to the whitelist requires email confirmation and a mandatory 24-hour waiting period.
Suspicious login attempts — including logins from new devices, unusual geographies, or after failed attempts — trigger additional verification steps and email alerts. Unrecognised device logins are blocked until confirmed.
User sessions are issued short-lived JWT tokens with automatic expiry. Concurrent session limits apply, and users can view and terminate active sessions from their account security settings at any time.
All smart contracts deployed by XYBIT are audited by independent blockchain security firms prior to deployment. No contract is deployed to mainnet without a clean audit report. Audit reports are publicly available in our Audit Reports section.
XYBIT monitors all deposit and withdrawal wallet addresses against global sanctions lists, known scam databases, and darknet marketplace wallets. Deposits from flagged addresses are quarantined pending compliance review.
XYBIT tracks network health for all supported blockchains. In the event of a major network incident (fork, reorg, or validator outage), affected deposits and withdrawals are paused automatically until the network reaches a stable state.
XYBIT operates a responsible disclosure and bug bounty programme open to all security researchers. In-scope targets include our web application, mobile applications, public APIs, and deployed smart contracts.
Critical vulnerabilities (e.g., remote code execution, authentication bypass, smart contract exploits that risk user funds): ₹5,00,000 – ₹25,00,000. High severity findings: ₹50,000 – ₹2,50,000. Medium and low findings are also rewarded on a case-by-case basis.
Security researchers must report findings to security@xybit.in before public disclosure. We commit to acknowledging receipt within 24 hours, triaging findings within 72 hours, and communicating a remediation timeline within 7 days. We will not pursue legal action against researchers who follow responsible disclosure guidelines.
XYBIT maintains a documented Incident Response Plan (IRP) that is tested and updated at least annually. The IRP covers identification, containment, eradication, recovery, and post-incident review for all classes of security incidents.
In the event of a security incident affecting user accounts or funds, XYBIT will communicate directly with affected users via registered email, post a status update at status.xybit.in, and file required regulatory disclosures within the mandated timeframes.
To report a security vulnerability, contact our security team at security@xybit.in. For general security enquiries, you may also reach us at support@xybit.in. Do not share details of potential vulnerabilities on public channels or social media prior to responsible disclosure.