If you discover a security vulnerability in Attest, please report it responsibly.

Do not open a public GitHub issue for security vulnerabilities.

Instead, email otto@0tt0.net with:

• A description of the vulnerability
• Steps to reproduce or a proof of concept
• The impact you believe it has

You should receive an acknowledgement within 48 hours. We will work with you to understand the issue and coordinate a fix before any public disclosure.

The following are in scope for security reports:

• Signature forgery or bypass in receipt creation/verification
• Hash chain integrity violations
• Key material leakage
• SQL injection or other input-handling flaws in the SQLite store
• Vulnerabilities in the MCP proxy that could allow unauthorized actions

• We aim to confirm and triage reports within 48 hours.
• We will coordinate a fix and release timeline with the reporter.
• We credit reporters in the release notes unless they prefer to remain anonymous.
• We ask that you give us reasonable time to address the issue before public disclosure.