SECURITY POSTURE

Trust the cryptography, not the vendor.

ByteVerity's security model is its product: evidence an outsider can verify with your systems switched off. Below is how that holds up — including against an adversary holding valid keys.

Offline, zero-network verification

The verifier recomputes a SHA-256 over a record's content and compares it to the signed manifest root — entirely client-side, with the producing engine absent and no call back to ByteVerity. The “0 network requests” claim is a property of the design, not a label. Verification holds with our systems, your IdP, and every engine switched off.

Content-addressed, signed receipts

Every proven plane is content-addressed: change one byte and the recomputed hash diverges, turning the verdict RED and naming the broken link. Receipts are signed (ed25519) and tamper-evident by construction — the same receipt that governs an action is the audit evidence.

Adversary-resistance — forged blame fails closed

A compromised agent can forge a run verdict, a knowledge write, and an approval with valid keys — and all three still verify RED, each naming the break. Forged blame never renders “proven.” Asserted context is rendered distinctly and never counts toward the verdict, so an attacker cannot pass off an assertion as a proof.

Offline, fail-closed revocation

Revoke a grant and every past action under it re-derives RED offline, from a signed status list, with no call back to the issuer. A bad agent's next action fails closed. Revocation binds to proof, so it holds even when the IdP is unreachable.

DATA HANDLING

Records carry what they attest to — classify them accordingly.

A record cites the upstream receipts it composes, so it can carry the very data it attests to. Secrets are masked on display (portal and CLI), but the exported bundle should be classified and shared under the same controls as the data it describes — ByteVerity adds no secrets of its own, but it does not strip what an upstream system already signed.

RESPONSIBLE DISCLOSURE

Found something? Tell us first.

If you believe you've discovered a vulnerability in ByteVerity, please report it privately and give us a reasonable window to remediate before any public disclosure. We do not pursue good-faith security research.