The team have extensive experience in cybersecurity, we hold security as our core value. With expertise on both technical (penetration testing, forensics, etc) and strategical (architecture design, GRC, etc) levels, we have a strong understanding of cybersecurity and industry standards. In this section we will cover the Infrastructure, Application and Interface and Business Continuity Management security aspects that secure RuniGun users.

Infrastructure:

Architecture overview

The Telegram bot manages communication with our customers and communicate with our internal logic through RuniGun's API.

The RuniGun server receives API calls from the Telegram bot, process them with its internal logic and interacts with our private node.

The private node runs bitcoin-core and receives instruction from the RuniGun server The IPSec vpn gives an administrative interface in the internal network.

Identity & access management

• We require strong passwords

• We require multifactor authentication

• We always prefer public key cryptography

• We always prefer FIDO2 security keys

• Connection to the infrastructure goes through an IPSec vpn

Network security

The infrastructure is running in a private network with only three internet facing interfaces :

• an IPSec vpn for administration

• the Telegram bot for customer service

• the bitcoin network.

Internal compononents are communicating through SSL vpns on local addresses. The RuniGun server does not have any public interface.

Data security

All databases are encrypted at rest.

Application and Interface:

Telegram

We use Telegram as an identity provider for customers. This means that customer's Telegram account hold power to their wallet.

Telegram user’s IDs are hashed with a cryptographic key derivation function.

Data transfer

We do not transfer data to any external party. Our resources communicate only locally (from process to process or port to port) or through an IPsec VPN.

Security of the development process

Cleared code reviews by a minimum of 2 senior developers and a green build (all automated tests passed) are mandatory for any code to be merged into the master branch.

Access to the code repository is requires two-factor authentication and public-key cryptography. All developers use equipment preconfigured with encrypted hard drives, a mandatory login and screen locking.

We cover each module of the application with unit, integration and functional tests. An automated security check is run with every application release to detect software dependencies with known security vulnerabilities against the Security Advisories Databases.