The VeritasChain Standards Organization (VSO) takes security seriously. If you discover a security vulnerability in the CAP specification or related implementations, please report it responsibly.
Email: security@veritaschain.org
Please include:
- Description of the vulnerability
- Steps to reproduce (if applicable)
- Potential impact assessment
- Any suggested mitigations
| Phase | Timeline |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial assessment | Within 7 days |
| Status update | Within 14 days |
| Resolution target | Within 90 days |
This security policy covers:
- CAP specification documents
- JSON schemas
- Reference implementations in this repository
- Test vectors and examples
- Third-party implementations of CAP
- Vulnerabilities in dependencies (report to upstream maintainers)
- Social engineering attacks
- Physical security issues
CAP relies on the following cryptographic primitives:
| Component | Algorithm | Standard | Security Level |
|---|---|---|---|
| Event Hash | SHA-256 | FIPS 180-4 | 128-bit |
| Digital Signature | Ed25519 | RFC 8032 | 128-bit |
| Canonicalization | JCS | RFC 8785 | N/A |
| UUID Generation | UUID v7 | RFC 9562 | N/A |
CAP is designed with crypto agility in mind. The HashAlgo and SignAlgo fields allow future migration to post-quantum algorithms (e.g., CRYSTALS-Dilithium) without breaking backward compatibility.
Implementers SHOULD:
- Support algorithm negotiation
- Plan for algorithm deprecation
- Monitor NIST PQC standardization
The hash chain provides tamper detection but not prevention. Implementers MUST:
- Store events in append-only storage where possible
- Implement external anchoring (Merkle roots) for high-assurance deployments
- Verify chain integrity on every access
CAP timestamps require reliable time sources. Implementers SHOULD:
- Use NTP with authenticated time sources
- Consider PTP (IEEE 1588) for high-precision requirements
- Log time source synchronization status
Ed25519 keys for signing require proper management:
- Generate keys using cryptographically secure random number generators
- Store private keys in HSMs or secure enclaves for production use
- Implement key rotation procedures
- Maintain key revocation lists
CAP uses hashing for privacy protection. However:
PromptHashmay be vulnerable to rainbow table attacks for common prompts- Consider salting for high-sensitivity deployments
- Actor anonymization (k-anonymity) may be insufficient for unique users
For detailed threat analysis, see docs/Threat-Model.md.
VSO practices coordinated disclosure:
- Reporter notifies VSO
- VSO acknowledges and investigates
- VSO develops fix/mitigation
- VSO notifies affected parties (if applicable)
- Public disclosure after fix is available
We request a 90-day disclosure window for critical vulnerabilities.
Security advisories will be published:
- In this repository's Security tab
- On https://veritaschain.org/security
- Via the security@veritaschain.org mailing list
We thank security researchers who responsibly disclose vulnerabilities. Contributors will be acknowledged (with permission) in our security advisories.
Contact: security@veritaschain.org
PGP Key: Available upon request
Last updated: 2026-01-13