Security

Last updated: March 2026

Security posture

WitnessOps is built around explicit trust boundaries, signed receipts, tamper-evident evidence bindings, and governed execution paths. These controls improve auditability and integrity, but they do not eliminate the trust assumptions documented elsewhere in the WitnessOps docs.

Vulnerability reporting

Report vulnerabilities to security@witnessops.com through the responsible disclosure process. This shared mailbox is the canonical WitnessOps security address. If security+witnessops@witnessops.com is enabled for controlled token intake, it remains a receive-only alias and does not replace the canonical mailbox. We aim to acknowledge reports within 72 hours and coordinate remediation before public disclosure.

Testing rules

Do not perform destructive testing, denial-of-service activity, data exfiltration, or attempts to access systems outside clearly authorized scope. If you are unsure whether a test is safe or authorized, stop and report the issue instead.

Verification continuity

If a service is unavailable, previously issued Tier 1 artifacts and proof bundles remain independently verifiable as long as the required public verification material is available. WitnessOps web is a display surface; verification authority remains in the shared proof receipt boundary.