GENERAL BYTES Ethical Codex

Our Commitment

At GENERAL BYTES, integrity, accountability, and trust form the foundation of everything we do. As creators of mission-critical financial systems, we recognize the immense responsibility we bear toward our clients, partners, regulators, and society at large. Every action we take must reflect our dedication to ethical excellence.

Principles

1. Client First
We prioritize the interests, confidentiality, and security of our clients. We build products that are reliable, resilient, and transparently designed to serve their needs without compromise.

2. Integrity in Code and Conduct
We write clean, secure, and auditable code. We commit to honesty in all our communications—internally, with clients, regulators, and the public. We never falsify data, misrepresent capabilities, or conceal critical information.

3. Security and Privacy
We uphold the highest standards of data protection. Financial data is sensitive; we treat it with utmost respect, implementing proactive measures to prevent breaches, misuse, or unauthorized access.

4. Accountability and Transparency
We take ownership of our work and decisions. When errors occur, we acknowledge them swiftly, communicate openly, and work diligently to correct them.

5. Compliance and Legal Standards
We comply fully with all applicable laws, regulations, and industry standards. Where rules are unclear, we act in the spirit of fairness, caution, and public interest.

6. No Conflicts of Interest
We avoid situations where personal interests could conflict with our professional duties. Transparency about potential conflicts is required and must be promptly disclosed.

7. Respect and Inclusion
We foster a respectful, inclusive environment where diverse perspectives are valued. Discrimination, harassment, and bias have no place in our company.

8. Continuous Improvement
We seek constant improvement—in our technology, our skills, and our ethical awareness. We encourage open dialogue about ethical concerns without fear of retaliation.

Living Our Values

Each team member is a steward of GENERAL BYTES’s reputation. Ethical conduct is not optional; it is an essential part of our mission. Every employee is expected to read, understand, and embody this codex daily.

When in doubt, speak up. Ethics is everyone's responsibility.

GENERAL BYTES Whistleblower Policy

At GENERAL BYTES, we are committed to maintaining the highest standards of integrity, transparency, and accountability.

Employees, contractors, and partners are encouraged to report any suspected misconduct, unethical behavior, legal violations, or breaches of company policies without fear of retaliation. All reports will be treated seriously, confidentially, and investigated promptly.

Reports can be made anonymously or directly to the designated Ethics Officer at ethics@generalbytes.com. Retaliation against anyone who raises a concern in good faith is strictly prohibited and will result in disciplinary action.

We value and protect those who speak up to protect GENERAL BYTES.

For any legal inquiries, serving subpoenas or submiting request for information please contuct us at legal@generalbytes.com. 

Please contact us at security@generalbytes.com.
If you are reporting a security issue make sure you read our Buounty Program policy.

Bug Bounty Program Overview

• GB encourages responsible disclosure of security vulnerabilities through our Bug Bounty program.
• Researchers must follow the written policy. This policy is not negotiable.
• Key rules:
  • Act in good faith and avoid policy violations.
  • Don’t do more than needed to prove a vulnerability. 
  • Don’t make threats or ransom demands.
  • Report vulnerabilities, including instructions and proof of concept exploit, as soon as discovered and validated.
  • Researchers are responsible for complying with all applicable laws.
  • Attempts to subvert or violate our policy will result in immediate ineligibility for this program. Threats or extortion attempts may be referred to law enforcement.
  • If you’re unsure about something, notify security@generalbytes.com for clarification.

Policy

GB strongly believes in the value of security professionals and developers assisting in keeping our products and users safe. GB has established and encourages coordinated vulnerability disclosure (CVD) via our Bug Bounty Program. The Bug Bounty program serves the GB mission by helping to protect GB customers.

By looking for bugs in GB systems, you agree to keep all data, information about vulnerabilities, your research, and communications with GB strictly confidential until GB has addressed the issue and granted permission for disclosure. 

Where the requirements of this Policy are complied with, GB agrees not to initiate legal action for security research performed following all posted GB Bug Bounty policies, including good faith, accidental violations.

Please avoid deliberate privacy violations by creating test accounts whenever possible. Should you encounter personally identifiable information (‘PII’) or other sensitive data for accounts you do not have express written consent of the account owner to use to validate your findings, please stop accessing that data immediately, and report the issue to GB with a description of the PII or other sensitive data, not the data itself.

In alignment with data protection regulations and our privacy policies, you must:

• Not store or transmit other clients’ PII. If you should happen to capture any client PII, report it to GB immediately and then destroy all copies of PII that are not yours.
• Minimize data collection and access during your research. Only collect and retain information absolutely necessary to demonstrate and report the vulnerability. 
• Immediately and securely delete all collected data once the report is submitted and GB has confirmed that it has received it.
• Not disclose any vulnerabilities or associated information to third parties without GB's express written consent. This includes but is not limited to social media, other companies, or the press.
• If you are reporting a data breach or the location of a data repository instead of a security vulnerability, please supply the location of the data and do not access it further, nor share the location of the data with others.

A bug bounty submission must never contain threats or any attempts at extortion. We are open to paying bounties for legitimate findings, however ransom demands are not eligible for payment. For example, not releasing information about the vulnerability or otherwise hindering the ability to resolve the vulnerability until other demands are met will be deemed a ransom demand. We may be required by law or voluntarily decide to report to authorities any bug bounty submission that contains ransom demands. 

We believe activities conducted consistent with this policy constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), and applicable anti-hacking laws such as Cal. Penal Code 503(c). We will not bring a claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program. However, following this policy does not mean that GB nor any other individual organization or government can grant immunity from global laws. It is the responsibility of individual security researchers to understand and comply with all applicable local and international laws regarding anti-hacking, data and privacy, and export controls. If a third party brings legal action against you and you were following the terms in this policy, GB will inform the pertinent law enforcement agencies or civil plaintiffs that your research activities were, to the best of our knowledge, conducted pursuant to, and in compliance, with the terms and conditions of this program.

It is required that each researcher submit a notification to us before engaging in conduct that may be inconsistent with or unaddressed by this policy. We welcome suggestions for policy clarifications that help researchers conduct their research and reporting with confidence.

Rewards

All bounty submissions are rated by GB and paid out based on vulnerability rating. All payouts will proceed in BTC to your verified KYC'ed Address and are defined as a guideline and subject to change.

• All bug reports must be submitted to security@generalbytes.com, the only official contact for this program. Please do not use external sites to submit vulnerability details. Any external sites or portals are unofficial and are not approved by GB.
• To receive bug bounty payments, you must:
  • Get KYC'ed by Veriff - Your identity will be verified. Steps to get KYC'ed will be sent by GB after successful submission.
• Asking for payment or other acknowledgment in exchange for vulnerability details will result in immediate ineligibility of bounty payments. Not releasing vulnerability details will also result in immediate ineligibility of bounty payments.
• Provide detailed instructions to reproduce the vulnerability and a Proof of Concept.
• If we cannot reproduce your findings, your report will not be eligible for payout. Exploit only what is needed to prove a security vulnerability and promptly return any assets that have been extracted.
• Disclosing vulnerability to other individuals is prohibited.
• Any attempt to bypass the procedures outlined in this policy will result in immediate ineligibility of bounty payments. 
• Include your Bitcoin (BTC) Address for Payment. All rewards will be issued in Bitcoin.
  Payment minimums are defined below. All payments may be modified at GB's discretion.
  The minimum payout is Bitcoin (BTC)  equivalent of $100 USD.

Submission Process

The following steps are taken to process a Bug Bounty submission:

1. Report is submitted to bug bounty mailbox
2. GB security acknowledges submission (SLA 2 Business Days)
3. GB security triages the submission (SLA 20 Business Days)
4. GB security sends response with determination, if deemed a vulnerability, notification includes severity level and amount of reward (we will ask for a BTC address and KYC instructions)
5. For security vulnerabilities, GB will send the reward (SLA 30 Business Days)

Payout Scale

Low Severity	$100-$500
Medium Severity	$500-$1000
High Severity	$1000-$2000
Critical Severity	$2000-$10000

In Scope

The following properties are in scope for bug bounty rewards

www.generalbytes.com	Main website
hq.generalbytes.com	GB software distribution site
apt.generalbytes.com	GB software distribution site
partner.generalbytes.com	GB customer portal
CAS	CAS software
BATM	Bitcoin ATM software and hardware
whalebooks.com	GB cryptocurrency accounting software hosting site
dnameter.com	GB DNA testing service

Vulnerability Ratings

Critical

Critical severity issues present a direct and immediate risk to a broad array of our users or to GB itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:

• arbitrary code/command execution on a server in our production network.
• arbitrary queries on a production database.
• bypassing our sign-in process, either password or 2FA.
• access to sensitive production user data or access to internal production systems. 

High

High severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:

• XSS which bypasses CSP
• Discovering sensitive user data in a publicly exposed resource
• Gaining access to a non-critical, system to which an end user account should not have access

Medium

Medium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:

• Disclosing non-sensitive information from a production system to which the user should not have access
• XSS that does not bypass CSP or does not execute sensitive actions in another user’s session
• CSRF for low risk actions

Low

Low severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:

• Triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.

Ineligibility

Reports in which we are not interested and are not eligible for reward include:

• Vulnerabilities on sites hosted by third parties (support.generalbytes.com, etc) unless they lead to a vulnerability on the main website. Vulnerabilities and bugs on out of scope sites.
• Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.
• Vulnerabilities affecting outdated or unpatched browsers.
• Vulnerabilities in third party applications that make use of GB's API.
• Vulnerabilities publicly disclosed in third party libraries or technology used in GB products, services, or infrastructure earlier than 30 days after the public disclosure of the issue.
• Vulnerabilities that have been released publicly prior to GB issuing a comprehensive fix.
• Vulnerabilities already known to us, or already reported by someone else (reward goes to first reporter).
• Issues that aren't reproducible.
• Vulnerabilities that require an improbable level of user interaction.
• Vulnerabilities that require root/jailbreak on mobile.
• Missing security headers without proof of exploitability.
• TLS Cipher Suites offered.
• Suggestions on best practices.
• Software version disclosure.
• Any report without detailed step-by-step instructions and an accompanying proof of concept exploit.
• Issues that we can't reasonably be expected to do anything about, such as issues in technical specifications that GB must implement to conform to those standards.
• The output from automated tools/scanners or AI-generated reports.
• Issues without any security impact.

Non-security Issues

You can let us know about non-security issues at https://generalbytes.com/en/support.

At GENERAL BYTES, we are proud to be fully compliant with the Digital Operational Resilience Act (DORA). We recognize the critical importance of operational resilience in the financial technology sector and have implemented robust frameworks to ensure the security, stability, and continuous availability of our mission-critical systems. Our compliance reflects a company-wide commitment to risk management, cybersecurity, incident reporting, and third-party oversight, ensuring that we meet and exceed regulatory standards.

GENERAL BYTES has established clear and tested processes for risk identification, threat detection, incident response, and operational recovery. We regularly audit and update our procedures to align with DORA requirements and industry best practices. Our teams are trained to respond swiftly to incidents, maintain clear documentation, and work in close coordination with regulatory bodies when necessary. Through these measures, we ensure the resilience, reliability, and trustworthiness of the services we provide to our financial sector partners.