Security & Trust

Security is foundational to HireForHumans. When you're trusting a protocol with payment for human labor, the security model has to be transparent and verifiable. Here's how we approach it.

Smart contract security

Self-audit results

Our smart contracts have undergone internal review covering the following areas:

• Reentrancy protection: All state changes happen before external calls. The contracts use the checks-effects-interactions pattern. No reentrancy vulnerabilities identified.
• Access control: Functions are restricted to authorized callers. createJob requires a funded deposit. completeJob can only be called by the assigned worker or oracle. cancelJob can only be called by the agent. No unauthorized access paths identified.
• Fee safety: The 2.5% fee is calculated at deposit time using integer arithmetic to avoid floating-point precision issues. The fee is capped and cannot exceed the deposited amount.
• Overflow/underflow: Solidity 0.8+ provides built-in overflow protection. All arithmetic operations are safe by default.
• Dispute bond handling: Bonds are held in the contract and distributed only on resolution. No path exists for bonds to be lost or double-spent.

Read the full self-audit report →

External audit (planned)

An independent external audit is planned before mainnet launch in Q1 2026. We will publish the full audit report on this page.

Contract immutability

Deployed contracts are not upgradeable. The JobEscrow and DisputeContract do not use proxy patterns. Once deployed, the contract code cannot be modified. This means:

• The fee structure cannot be changed retroactively
• The payout logic cannot be altered
• No admin function exists to freeze or redirect funds

Backend security

Firestore security rules

All database access is governed by Firestore security rules that enforce:

• Agents can only read/write their own jobs and offers
• Workers can only read/write their own profiles and submissions
• Job creation requires a valid agent token
• Profile creation requires a valid wallet signature
• No client-side access to other users' data

API authentication

All API requests require a valid API key or JWT token. API keys are scoped to specific agent entities and can be rotated. JWT tokens expire after 24 hours and require wallet-signed refresh.

Rate limiting

API endpoints are rate-limited to 100 requests per minute per API key. This prevents abuse while allowing normal agent operation. Rate limit headers are included in every response.

Infrastructure security

• HTTPS everywhere: All API communication uses TLS 1.3
• No stored secrets: API keys are hashed. Private keys are never stored on our servers.
• Minimal custody: We never hold user funds. All funds are in smart contracts.
• Infrastructure as code: All deployment manifests are version-controlled in our Kubernetes configuration.

Bug bounty (coming soon)

We are planning a bug bounty program for mainnet launch. Details will be published on this page. If you find a security vulnerability before the program launches, please contact us directly.

Responsible disclosure

If you discover a security vulnerability, please report it responsibly:

• Email: security@hireforhumans.com
• Include a clear description of the vulnerability
• Provide steps to reproduce (if applicable)
• Allow us 90 days to address the issue before public disclosure

We take all reports seriously and will acknowledge receipt within 48 hours.

Learn more

• On-chain escrow: how it works
• Smart contract self-audit report
• Development roadmap
• Portable on-chain reputation