Security

Reporting, scope, cryptographic claims, and disclosure policy.

Reporting a vulnerability

Email security@epochcoreqcs.com (or epochcoreras@gmail.com as fallback).

We acknowledge within 24 hours and aim to land a fix or mitigation within 7 days for high-severity issues.

Please include:

• Affected component (API endpoint, SDK version, site URL, etc.)
• Reproduction steps
• Impact assessment (auth bypass, key exposure, integrity break, DoS, etc.)
• Your preferred attribution name (or "anonymous")

No paid bounty yet. Reporter credit published in the changelog with permission.

Scope

In scope

• ai.epochpay.today (this product's site + API)
• seal.epochpay.today/api/seal (upstream Sealed intake)
• chain.epochcoreqcs.com/v1/verify (public verifier)
• Python SDK sealed-for-ai
• TypeScript SDK @epochquant/sealed-for-ai

Out of scope

• Third-party services (Cloudflare, Resend, Stripe — report directly)
• Social engineering, physical security, denial-of-service tests against production
• Vulnerabilities in non-EpochCore systems that link to ours

Cryptographic claims

Every seal produced by Sealed for AI is:

1. Hashed with SHA-256 (FIPS 180-4)
2. PHI-lattice augmented for entropy-distance scoring
3. Signed with Ed25519 (RFC 8032) — production CEO key id: 5D579BC434FE1EE7
4. Co-signed with ML-DSA-87 (FIPS 204) — post-quantum readiness
5. Anchored to Base L2 via the public chain ledger
6. Retained for 7 years (SEC 17a-4 / FINRA-4370 minimum)

If you can produce two distinct artifacts that hash to the same chain_root, or two valid Ed25519 signatures from the production key over inputs we did not authorize, that is a P0 finding.

Key rotation

Production keys rotate annually. The signing_key_id field on every seal identifies which key signed it. Historic keys remain valid for verification of artifacts they signed at the time.

Disclosure policy

Coordinated disclosure:

1. Report received → acknowledgment within 24h.
2. Mutual understanding of impact + scope → within 72h.
3. Fix landed in production → typically within 7 days for high-severity.
4. Public advisory + reporter credit → within 14 days of fix, or 90 days from report (whichever first).

Provenance of this page

This page is itself sealed against the current release tree hash. See /changelog for the chain root of the current release.