Security model
Built around non-custody and offline signing.
StakeGuard messaging should be direct: private keys stay offline, users keep control, and downloads must be verified.
Private keys stay offline
The Offline Signer is designed for workflows where sensitive key operations are not performed on the online backend.
Non-custodial by design
StakeGuard should not have unilateral control over user Bitcoin.
Integrity verification
Users should verify release checksums before installing the Offline Signer.
Encrypted recovery data
Recovery data should be encrypted before transport or storage.
Clear recovery assumptions
Users should understand who can recover, when recovery is possible, and what transaction is being prepared.
Security reporting
Security researchers and users should have a direct route to report issues.
Responsible disclosure
Found a security issue?
Use the support page and choose Security report. Replace this text with your final security policy before public launch.