How we operate, and how to report a vulnerability.
If you found a vulnerability
Email security@proofoftech.org with reproduction steps. We acknowledge within one business day and remediate critical issues within seven calendar days. For coordinated disclosure, propose a date in the initial email; we will agree or negotiate. We are not running a paid bug bounty; we will credit reporters in the engagement record unless you ask us not to.
We do not currently publish a PGP key. If your report contains sensitive material, ask in the first email and we will send you a one-shot age recipient or arrange a Signal handoff.
Engagement defaults
On every engagement we operate under your access controls and your data-handling policy. We do not exfiltrate production data, we do not use customer data to train models, and we do not retain copies after the engagement ends unless your engagement letter explicitly says otherwise.
Default postures we ship with: TLS 1.3 in transit, AES-256 at rest, hardware-attested compute for sensitive inference workloads (see our TEE vs. FHE post), least-privilege service accounts, and no shared credentials across customers.
Onchain work
Smart contracts we write are audited by a third party before mainnet deployment. Our default auditor relationship is with OpenZeppelin; clients can substitute Trail of Bits, Spearbit, or another firm at cost. Verifier contracts for our zkML deployments (Halo2 via EZKL) are part of the audit scope.
For decentralized-training engagements (Bittensor subnets, DiLoCo coordinators), we ship validator policy and emissions designs with a written threat model and a sandbagging-detection budget.
What we don't do
We do not deploy without a written runbook. We do not hold customer keys on shared infrastructure. We do not ship agent harnesses without a per-counterparty spend ceiling (see our x402 post for the rationale).
Compliance posture
We follow CIS Benchmarks for Linux hosts and AWS configuration. We do not currently hold SOC 2 attestation; engagements that require it either run inside the client's compliant environment or pair us with a vendor of record who does.
Contact
Security issues: security@proofoftech.org. For general questions: hello@proofoftech.org.