Security
Responsible
disclosure.
Attestix is cryptographic compliance infrastructure. We treat vulnerabilities with urgency. If you have found a security issue in any Attestix module, MCP tool, REST endpoint, or integration, please contact us through a private channel before public disclosure.
Email security@vibetensor.com with a description, reproduction steps, and your preferred attribution. We will acknowledge within 48 hours and provide a target resolution timeline within five business days.
Process
- 01. Report privately. Include reproduction, affected version, impact.
- 02. We acknowledge in 48 h and triage.
- 03. We patch, request CVE if appropriate, and prepare a release.
- 04. Coordinated disclosure at release time with credit.
Recent disclosures
ATX-* are internal tracking IDs assigned during the coordinated fix cycle, not CVE numbers. Upstream dependency fixes link to the upstream advisory. Project-scoped findings are promoted to CVE assignments when disclosed externally.
| ID | Date | Severity | Issue | Fixed in |
|---|---|---|---|---|
| ATX-2026-04 | 2026-04-17 | HIGH | Delegation chain auth bypass Parent token verification + capability attenuation enforced in UCAN chain. | v0.3.0 |
| ATX-2026-03 | 2026-04-15 | HIGH | PyJWT upstream CVE mitigation Pinned PyJWT >= 2.12.0 with dependency lock. | v0.3.0 |
| ATX-2026-02 | 2026-04-10 | MEDIUM | Server-side request forgery in agent-card fetch URL allowlist, private-IP block, redirect limit. | v0.3.0 |
| ATX-2026-01 | 2026-04-02 | MEDIUM | API timing side-channel on credential verify Constant-time signature comparison. | v0.3.0 |