Security & Disclosure Policy
DCS Labs operates cryptographic infrastructure that real users and government deployments depend on. We take security seriously and welcome coordinated disclosure of any vulnerability you discover.
⚠️ Found a vulnerability? Email us privately
For high-severity issues affecting cryptographic primitives, the on-chain SBT contract, or the receipt chain — please encrypt your report with our PGP key (below). Do not open public GitHub issues for security bugs.
Scope
The following are in scope for coordinated disclosure:
| Component | Where it lives |
|---|---|
| R+2 Open Provenance Standard | dcslabs.ai/standard |
| TRDWorkerSBT contract | basescan.org/address/0xbDd1f5fC349D9a8EfCEb07Edbd491233b2540f5F |
| @trdnetwork/mcp-server | npm registry |
| @trdnetwork/r2-verify | npm registry |
| Sovereign Memory API | api.dcslabs.ai/api/memory/* |
| Agent Treasury / Settlement | api.dcslabs.ai/api/economy/* |
| Production web surfaces | dcsai.ai, dcslabs.ai, api.dcslabs.ai |
Out of scope
- Third-party services we don't operate (Cloudflare, Render, Supabase, OpenAI, Base mainnet itself).
- Social engineering against our staff (we're solo founder for now — please don't try).
- Physical security of our infrastructure (operated by upstream providers).
- Denial-of-service via volumetric attacks.
- Findings from automated scanners without manual validation.
- "Self-XSS" or other issues requiring an attacker to already have full control of a user's browser.
Severity classes & expected response time
| Severity | Examples | Initial response |
|---|---|---|
| Critical | Cryptographic primitive break · contract exploit · unauthorized fund movement · receipt forgery | < 4 hours |
| High | Authentication bypass · arbitrary memory read · privilege escalation | < 24 hours |
| Medium | Information disclosure · CSRF on sensitive actions | < 72 hours |
| Low | Best-practice deviations · missing security headers | < 7 days |
Coordinated disclosure timeline
- Day 0: Reporter sends report to
[email protected]. - Day 1-3: DCS acknowledges receipt, confirms scope, assigns severity.
- Day 7-30: DCS develops, tests, and ships a fix (longer for cryptographic issues that require spec coordination).
- Day 90: Public disclosure with credit to the reporter (unless safety-critical, in which case extended embargo is negotiated).
We aim to publish a security advisory at dcslabs.ai/blog for every fix shipped under this policy.
What we promise reporters
- We will respond to your report within the SLA above.
- We will keep you informed of progress as we triage and fix.
- We will give you credit in the public advisory (or anonymous, if you prefer).
- We will not pursue legal action against you for reporting a vulnerability in good faith.
- We will not sue or threaten any researcher acting in compliance with this policy.
What we ask reporters
- Don't access, modify, or destroy data that doesn't belong to you.
- Don't perform testing that could degrade service for other users.
- Don't attempt social engineering against our team or users.
- Don't publicly disclose before we've had a reasonable chance to fix.
- Don't extort or threaten us. Reports made in good faith are welcome and rewarded; reports paired with threats are not and will be reported to law enforcement.
Bounty
We don't currently operate a paid bug bounty program (we're solo-founder, pre-revenue). However:
- We will publicly credit your finding (with your consent).
- We may offer a memorial Agent SBT minted in your honor on Base mainnet.
- As the team scales, we plan to launch a formal HackerOne / Immunefi bounty program with cash rewards. We'll announce on this page.
PGP key
For high-severity reports involving cryptographic primitives or the on-chain contract, please encrypt your message with our PGP key.
Fingerprint: TODO — DCS to publish PGP fingerprint by May 24, 2026
Full key: dcslabs.ai/security/pgp.txt (will be published with the launch — current placeholder)
Until the PGP key is published, send via email and we'll respond on a Signal channel for sensitive follow-up.
Security architecture overview
For reviewers preparing audit assessments, the headline architecture is:
- Cryptographic foundations: Ed25519 (RFC 8032) for signing, SHA-256 (FIPS 180-4) for hashing, base64url no-padding (RFC 4648 §5) for encoding, canonical JSON per RFC 8785.
- Libraries:
@noble/curvesfor Ed25519 (audited, no native deps),canonicalizenpm package for RFC 8785,libsodiumon the backend. - Key custody: User-controlled wallet private keys are encrypted server-side with AES-256 using a master
CUSTODY_MASTER_KEYnever exposed in logs or to the application layer. - Smart contract: TRDWorkerSBT is a Solidity ERC-5114 implementation, deployed on Base mainnet at
0xbDd1f5fC349D9a8EfCEb07Edbd491233b2540f5F. Source code at github.com/DCS-LabsAI. - Auditor target: we plan to commission a formal smart-contract audit (Trail of Bits, ConsenSys Diligence, or OpenZeppelin tier) before mainnet TVL exceeds $1M USDC.
Contact
Security: [email protected] · [email protected]
For non-security infrastructure questions: [email protected]