Security

Supported versions

Security fixes are applied to the current stable release only. Older versions may not receive patches. See the changelog for release history and current release status.

Verification architecture

Verification is offline by design. Signed records use Ed25519 (RFC 8032) and compact JWS (RFC 7515). Verifiers need only the issuer's public key via JWKS. No callback to Originary or any external service is required. No implicit network fetch is performed during verification.

Key management

Signing keys are Ed25519. In self-hosted mode, keys are generated and stored locally. In managed mode, keys are backed by cloud KMS (AWS KMS, GCP Cloud KMS, Azure Key Vault, or HashiCorp Vault). Key rotation follows a 5-state lifecycle with 30-day overlap. Revoked keys are tracked.

Dependency and supply-chain posture

All published npm packages are released via GitHub OIDC with provenance attestation. CI runs CodeQL security-extended analysis, dependency review, and audit gates. The repository enforces GitHub Actions SHA pinning. No ambient key discovery is performed. All dependencies are lockfile-pinned.

Data boundaries

Signed records contain policy hashes and decisions, not raw request payloads. In self-hosted mode, no data leaves your environment. In managed mode, only key lifecycle operations or record storage (depending on tier) involve Originary infrastructure. Verification never depends on Originary being online.

Network posture

No implicit fetch. No SSRF. URL fields in records are locator hints only and are never automatically dereferenced. The MCP server binds to localhost only with CORS deny-all, rate limiting, and size limits.

We appreciate responsible disclosure. Email security@originary.xyz or contact@originary.xyz with details and reproduction steps.

Our commitment

• We'll acknowledge within 5 business days
• Keep you updated on our progress
• Provide public credit where possible
• Work with you on responsible disclosure timing

Guidelines

• Please avoid testing against other users' accounts
• Respect rate limits and don't cause service disruption
• Don't access or modify data that isn't yours
• Report vulnerabilities as soon as you discover them

Scope

This policy covers:

• originary.xyz and subdomains
• Our APIs and services
• CLI and code samples we publish
• Infrastructure directly under our control

What to include

• Detailed description of the vulnerability
• Steps to reproduce the issue
• Potential impact assessment
• Any proof-of-concept code (if applicable)
• Your preferred method of communication

Bounty program

No formal bounty program at this time. We do provide public credit and our sincere gratitude for responsible disclosure.

Legal

We will not pursue legal action against researchers who:

• Follow this responsible disclosure policy
• Act in good faith
• Don't violate privacy or cause harm
• Don't access or modify data beyond what's necessary for testing