# Security

Date: 2026-05-22  
Status: public policy draft

## No Recovery Data

ErgoCommunity.org must never request, collect, store or transmit:

- seed phrases
- mnemonics
- private keys
- wallet recovery files
- passwords
- signing secrets

If any page, form, message or support flow asks for recovery data, treat it as unsafe and report it.

## Sensitive Links

The following categories require safety review before being exposed as public action links:

- wallets
- bridges
- DeFi
- support accounts
- private invites
- airdrop or claim flows
- transaction signing tools
- downloads or install links

Until reviewed, these links should route through official source pages or stay blocked.

## Reporting

For suspected phishing, impersonation, malicious links or unsafe support flows, collect:

- suspected URL or handle
- category
- affected project or channel
- short description
- optional screenshot
- optional transaction or identifier
- optional reporter contact

Do not ask reporters for private keys or recovery data.

## Escalation

- High-risk wallet/support phishing: publish warning or route to official escalation within 4 hours.
- Suspicious project links: mark blocked or caution until reviewed.
- False positive: archive with note and reviewer.

## Deployment Security

Recommended production headers:

- Content Security Policy with explicit allowlist for `https://www.ergoblockchain.org` if Sage proof stream is enabled.
- `Referrer-Policy: strict-origin-when-cross-origin`
- `X-Content-Type-Options: nosniff`
- `Permissions-Policy: camera=(), microphone=(), geolocation=()`