Security

Security at Raiz Auto

Financial execution requires uncompromising security. Here's what we do to protect your account, wallet, and transactions — and how to report vulnerabilities.

Security controls

Password & PIN hashing

Passwords and transaction PINs are hashed with bcrypt (work factor 12) before storage. We never store plaintext credentials.

Payload encryption in transit

Sensitive fields (passwords, PINs) are AES-256-GCM encrypted by the client before leaving the browser. The server decrypts using a shared key that never appears in client code.

TLS everywhere

All communication between your browser and our servers uses TLS 1.2 or higher. HTTP requests are permanently redirected to HTTPS.

HttpOnly authentication cookies

Session tokens are stored in HttpOnly, Secure, SameSite=Strict cookies — inaccessible to JavaScript and protected against CSRF and XSS token theft.

Transaction PIN lockout

After 5 incorrect PIN attempts, your transaction PIN is locked. You must contact support to unlock, preventing brute-force attacks on financial operations.

Role-based access control

Admin and operations portals are fully isolated from user sessions at the middleware layer. Users cannot access or even discover admin routes.

Responsible disclosure policy

We welcome good-faith security research. If you discover a vulnerability in the Raiz Auto platform, please report it to us privately before public disclosure. We commit to:

  • Acknowledge your report within 2 business days
  • Investigate and keep you informed of our progress
  • Work with you to understand and resolve the issue
  • Not pursue legal action for good-faith security research
  • Credit you in our security acknowledgements (if desired)
How to report

Email your findings to our security team. Encrypt your report with our PGP key if the details are sensitive.

security@raizauto.com

In scope

  • Authentication bypass or privilege escalation
  • Wallet balance manipulation or negative-balance exploits
  • Cross-site scripting (XSS) or cross-site request forgery (CSRF)
  • SQL injection or other injection vulnerabilities
  • Sensitive data exposure in API responses
  • Business logic flaws in bid/Buy Now flows
  • Session fixation or token leakage

Out of scope

  • Denial-of-service or rate-limit testing
  • Social engineering attacks against staff
  • Physical attacks against infrastructure
  • Vulnerabilities in third-party services (IAAI, Copart, payment gateways)
  • Issues already publicly disclosed or being tracked

Safe harbour

Research conducted in good faith under this policy will not be subject to civil or criminal action from Raiz Auto. You must not access, modify, or delete data belonging to other users, and must minimise impact during testing.

Found a security issue?

We take every report seriously. Please don't publicly disclose the issue until we've had a chance to address it.

Report a vulnerability