DCS Labs · Security Disclosure PGP Key
=======================================

Use this key to encrypt high-severity vulnerability reports involving:
  - R+2 cryptographic primitives (Ed25519, RFC 8785 canonicalization, hash-chain)
  - The TRDWorkerSBT contract on Base mainnet
  - Key custody (CUSTODY_MASTER_KEY, agent private key handling)
  - Receipt forgery or impersonation vectors

Send encrypted reports to: security@dcslabs.ai

---

STATUS: Placeholder published 2026-05-21. The real PGP key will be
generated, signed by the founder, and published here by 2026-05-24.

Until the real key is published:
  1. Email an unencrypted summary (no exploit details) to security@dcslabs.ai
  2. Include your Signal username or other secure channel for follow-up
  3. We will respond within 4 hours during IST business hours with a Signal
     contact to receive the full report securely

After the real PGP key is published (target: 2026-05-24), this file
will be replaced with the ASCII-armored public key. Watch the
changelog at https://dcslabs.ai/changelog for the announcement.

---

Reference identifiers (for cross-verification of future key):

  Identity:    DCS Labs Security <security@dcslabs.ai>
  Algorithm:   Ed25519 (signing) + Curve25519 (encryption)
  Key length:  256-bit (modern standard)
  Expiry:      1 year, with overlap re-keying

The fingerprint will also be published at:
  - https://dcslabs.ai/security  (live)
  - https://dcsai.ai/.well-known/security.txt  (planned)
  - In the DCS Labs founder's pinned X / Farcaster post
  - Hand-delivered to Anthropic Standards Program, MeitY, and ISRO security
    contacts during the R+2 standards-body engagement

If you receive a key claiming to be from DCS Labs that doesn't match
the fingerprint at all three publication points, do NOT trust it. Email
security@dcslabs.ai (unencrypted) to verify.

---

Founder direct (for highest-severity, time-critical issues only):

  Deepak Dudi
  founder@dcsai.ai

Use the founder-direct channel only when:
  - The vulnerability is being actively exploited
  - Funds are at risk on the Base mainnet contract
  - Receipt forgery has been demonstrated in production
  - You have already attempted security@dcslabs.ai and received no
    response within 4 hours during business hours

We treat all reports seriously. We will not legally pursue good-faith
reporters. See full responsible disclosure policy:
  https://dcslabs.ai/security

---

© 2026 DCS AI Technologies L.L.C · Dubai, UAE
Coordinated disclosure · 90-day standard window