Security & Trust

What's proven, what isn't yet, and how to reach us.

Last updated 2026-07-01

We'd rather tell you exactly where we stand than oversell it. Below: what's independently checked today, what's still on our roadmap, and the fastest way to report a problem.

Current security posture, by product

Adversarially reviewed Core modules (Arbitra, Finalis, Meridian)

Every payment and security path goes through adversarial automated review and our internal audit gates before it ships. Meridian carries a public 100% mutation-kill (6/6) result. Provenance cards and a signed wallet attestation for these modules are published on our provenance page — check the claims yourself rather than take our word for it.

Pre-audit SMB Automations

Live in production, actively hardened, but has not yet been through a formal third-party security audit. A scheduled external review is on our roadmap — this page will update the moment it's complete.

Non-custodial by design Preacher Wallet

Self-custody: your keys are meant to never leave your device, and we do not hold, access, or recover your funds. We're publishing the specifics of that design as part of this page's next update.

What we don't do

Known limitations (honest, not hidden)

Report a vulnerability

Found a security issue in any Frederick & Sons product (the storefront, SMB Automations, Preacher Wallet, or any live module)? Please report it responsibly before any public disclosure.

Email: via our contact page — mark the subject SECURITY.

We commit to: acknowledging your report, investigating promptly, and keeping you updated as we work toward a fix. We do not currently run a paid bug-bounty program for our own products, but we credit responsible disclosures publicly (with your permission).

Incident response

If we ever experience a security incident affecting user funds or data, our commitment is: notify affected users as soon as we have accurate information, publish a post-incident summary of what happened and what we changed, and never bury a real problem behind vague language.

You don't have to take "it's up" on faith either — the live status page probes every public surface from your own browser, right now, with no stored history and no synthetic uptime numbers.