Security

1. License & Authentication Security

Every xHey license is cryptographically unique and bound to a single hardware identifier (HWID) upon first use. License keys are validated server-side on every session, ensuring revoked or expired keys cannot be used.

HWID resets are limited in frequency and require authenticated access, preventing unauthorized session transfers.

2. Data Encryption

All data stored in our systems is encrypted at rest using industry-standard encryption. Data in transit is protected via TLS 1.3. We do not store plaintext sensitive values.

HWID values are stored in hashed form and cannot be reversed to identify your hardware.

3. API Security

All API endpoints require authentication. Our relay layer uses secret token verification to prevent unauthorized access to internal validation services. All endpoints return minimal information — only what is necessary to operate the client.

Administrative operations require separate privileged credentials that are never exposed to client-facing APIs.

4. Binary Integrity

Every xHey release is accompanied by a SHA-256 checksum displayed in your dashboard. Always verify the checksum of downloaded binaries before running them.

5. Anti-Piracy Measures

xHey employs technical protection measures to prevent unauthorized copying and distribution. Attempts to crack, patch, or bypass the licensing system are detected and result in permanent revocation. We actively monitor for leaked or shared keys.

6. Responsible Disclosure

We take security seriously. If you discover a vulnerability in xHey or xnov.fun, please report it responsibly through our Discord server before any public disclosure.

We commit to acknowledging valid reports within 72 hours and resolving critical issues promptly. Responsible reporters may be rewarded at our discretion.

7. Contact

Security concerns should be reported privately through our official Discord server. Do not post vulnerability details publicly until they have been resolved.