The Attestplane organization takes security disclosures seriously, particularly because Attestplane is itself a security/audit substrate — a vulnerability in our codebase undermines the integrity of every downstream audit trail.
Do not file public GitHub issues for security disclosures.
Use one of the following channels:
- GitHub Private Vulnerability Reporting — preferred, traceable, and integrated with CVE issuance. Open a private report on the specific repository when published.
- Email:
security@attestplane.com(PGP key published here when first repository goes public). - In an emergency (active exploitation, data at risk now): use
any of the above and additionally email
contact@attestplane.comfor an out-of-band acknowledgement.
| Stage | Target |
|---|---|
| Acknowledgement of report | 72 hours |
| Initial triage + severity assignment | 7 days |
| Fix or written mitigation plan | 90 days |
| Public CVE / GHSA disclosure | Coordinated with reporter; default = on patch release |
In scope:
- Cryptographic integrity of the audit chain (BLAKE3 chain, RFC-3161 anchoring, replay Merkle root)
- Authentication / authorization on
/v1/auditor/*endpoints - Tenant isolation (Postgres RLS)
- Supply-chain attacks against our published artifacts (npm / crates.io / PyPI)
- Memory safety in the Rust workspace
- Tamper-evidence guarantees claimed in our documentation
Out of scope:
- Configuration-level vulnerabilities introduced by users (e.g., disabling tenant RLS)
- Volumetric DoS without privilege escalation
- Findings in test fixtures or
archived/directories - Findings that depend on social engineering of maintainers
We follow CVSS v4.0 for severity scoring and the Google Project Zero 90-day disclosure norm.
We will give reporters credit (acknowledgement section of the public advisory) unless the reporter requests anonymity.
As of 2027-12-11, the EU Cyber Resilience Act applies if Attestplane is placed on the EU market commercially. Severe vulnerabilities being actively exploited must be reported to ENISA within 24 hours (early warning) and 72 hours (detailed report). This policy will be amended to align with the final implementing regulation.
Once the first repository publishes:
- Releases will be signed with Sigstore (keyless OIDC).
- Maintainer PGP keys will be published at https://attestplane.com/.well-known/pgp-keys.txt.
Until then, all communication remains via the unencrypted email + GitHub PVR channels listed above.
Last updated: 2026-05-16