Security posture & responsible disclosure.
An honest statement of where XDC's infrastructure security stands today — open-source clients, resilience by client diversity, and a cryptographic audit that is in progress, not finished. We describe the posture, not promises.
Open-source clients
The XDC clients are public and auditable. Read, build, or review the source: XinFinOrg/XDPoSChain (XDPoS, Go) and the Besu fork.
Resilience by client diversity
Four independent execution clients across three languages run mainnet. A defect or CVE in one implementation leaves the others serving the chain — no single client can halt the network. See the architecture →
Cryptographic audit — in progress
A cryptographic-surface audit and risk matrix are underway as Phase 0 (Q2–Q3 2026) of the post-quantum migration. This is roadmap work in progress; we make no claim of a completed third-party audit. See the PQ roadmap →
Hybrid-first migration
Every post-quantum phase runs classical and PQ signatures in parallel, so no migration step requires a hard cutover. The standard (XDSS-PQ) builds on NIST-selected algorithms. Explore the initiative →
Reporting a vulnerability
If you believe you've found a security issue in XDC Innovation Labs' infrastructure or the XDSS-PQ work, please report it privately to pq@xdcindia.com rather than opening a public issue. Include enough detail to reproduce, and give us reasonable time to investigate and remediate before any public disclosure. We'll acknowledge receipt and keep you updated.
This page states the current, verifiable posture only. It deliberately makes no claims of completed audits, named audit firms, bug-bounty prize pools, or findings — those do not exist yet and the audit work is tracked transparently on the roadmap.