Registry Vulnerability Disclosure

Responsible disclosure rules for registry.attestlayer.com.

This disclosure page covers registry.attestlayer.com only, including public registry HTML pages, public proof endpoints, JWKS endpoints, verification-kit downloads, and other Registry-controlled static assets or APIs.

How to report

Email security@attestlayer.com with the affected URL or endpoint, steps to reproduce, impact, and any supporting screenshots, logs, or proof-of-concept material.

AttestLayer will acknowledge receipt within 3 business days and coordinate remediation before public disclosure.

Rules of engagement

Keep testing non-destructive and focused on the Registry surface.
Do not attempt to degrade availability, corrupt public history, or exfiltrate non-public systems.
Do not attack third-party infrastructure, customer environments, or AttestLayer domains that are out of scope for this page.
Stop once you have enough evidence to demonstrate the issue safely.

Out of scope

Claims about customer environments or third-party services not operated by AttestLayer.
Denial-of-service testing, spam, physical security, or social engineering.
Issues that rely on treating non-active external witnessing or anchoring as though it were active.

This page does not promise a bug bounty.

Registry is a public read-only transparency surface. It is not a checkout, subscription, or customer account portal.