Security

Responsible disclosure policy, security architecture, post-quantum crypto details, SBOM and provenance endpoints.

Responsible disclosure

We follow a 90-day coordinated disclosure window. If you find a security vulnerability in DataCork:

Email security@datacork.com with a description and reproduction steps.
We acknowledge within 24 hours and assign a CVE candidate within 5 business days.
We provide a patch or mitigation within 90 days. If we need more time, we negotiate with you.
After fix deployment, we publish a CVE advisory (or jointly publish if you prefer coordinated disclosure).
We credit you in the advisory unless you prefer anonymity.

For PGP-encrypted reports, use the key at /.well-known/security.txt. Fingerprint: 4A2B 8C3D E1F9 0A5B 7C2E 3D4F 5A6B 7C8D 9E0F 1A2B (placeholder — real key published at launch).

Bug bounty: We do not currently operate a formal bug bounty program. We compensate critical findings at our discretion. This will be formalized in H2 2026.

CVE history

No CVEs at launch. This section will be updated as disclosures are made.

Post-quantum architecture

DataCork uses a hybrid key exchange approach aligned with CNSA 2.0:

WireGuard: Provides Curve25519 Diffie-Hellman key exchange, ChaCha20-Poly1305 data encryption, and BLAKE2s-based key derivation.
Rosenpass: Layered on top of WireGuard to provide ML-KEM-768 (CRYSTALS-Kyber) post-quantum key encapsulation. The Rosenpass PSK replaces WireGuard's pre-shared key slot, ensuring post-quantum forward secrecy.
Hybrid approach: Neither algorithm alone is trusted. A break in either classical (ECDH) or PQ (ML-KEM) does not break the session. This is the CNSA 2.0 requirement.

Architecture details: Rosenpass paper. DataCork's specific deployment follows the field guide from Perfecta Federal (available to Business tier customers under NDA).

SBOM and provenance

All DataCork container images are signed with Cosign and include CycloneDX SBOM attestations. Verify any image:

# Verify container image signature
cosign verify ghcr.io/datacork/conduit-api:latest \
  --certificate-identity=https://github.com/datacork/conduit/.github/workflows/release.yml@refs/heads/main \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

# Download SBOM
cosign download attestation ghcr.io/datacork/conduit-api:latest \
  --predicate-type=https://cyclonedx.org/bom/v1.4

Well-known endpoints (available once CF is deployed):

/.well-known/sbom — links to latest SBOM for each component
/.well-known/provenance — SLSA provenance attestation links
/.well-known/security.txt — security contact and PGP key