Security

Coordinated Disclosure

Report vulnerabilities privately to security@timeproofs.io. Optionally encrypt using our PGP key at /pgp.txt. Our policy and contacts appear in /.well-known/security.txt.

• We will acknowledge, triage, and coordinate timelines.
• Please avoid data access beyond proof-of-concept. No public disclosure before a fix.
• No bug bounty in v0.1. We credit qualifying reports by consent.

Scope

• Public API: /api/timestamp, /api/verify
• Static site and verification UI
• Edge runtime on Cloudflare Workers + KV

Out of scope

• DoS without a novel bypass
• Self-XSS requiring the victim to paste code
• 3rd-party platform issues

Cryptography

• Hashing: SHA-256 client-side or by user systems
• Signing: HMAC-SHA256 over hash + "\n" + timestamp + "\n" + base64url(meta)
• Transport: TLS only
• Key management: rotation via kid policy

Protocol details: ProofSpec.

Operational Hardening

• Minimal data: hashes + small optional metadata only
• Strict validation and size limits
• Edge rate limiting and abuse detection
• Clock sync and signed timestamps

Acknowledgments

We thank researchers practicing responsible disclosure. Names added here with consent.

• —

Contacts & Keys

• Email: security@timeproofs.io
• PGP: /pgp.txt
• Security policy: /.well-known/security.txt