Security

Provenant is a governance and tamper-evident audit system for AI agents — security is the product. We welcome reports from security researchers and will work with you in good faith to confirm and fix issues.

Report a vulnerability

Email [email protected] with a description, reproduction steps, and impact. Please give us a reasonable window to remediate before any public disclosure, and avoid privacy violations, data destruction, or service degradation while testing. Our machine-readable policy is at /.well-known/security.txt.

In scope

  • The hosted control plane and dashboard (the vendor deployment).
  • The authorization decision path, credential broker, and the enforcing gateway (HTTP + MCP).
  • The tamper-evident ledger and signed-export verification.
  • The published SDKs (@identiqube/provenant-sdk, provenant-sdk).

Good-faith safe harbor

We will not pursue legal action against researchers who act in good faith, follow this policy, and avoid harm to data, privacy, and availability. Test only against accounts and data you own.

Verify our claims yourself

The ledger's tamper-evidence is independently checkable: download a signed export and verify its hash chain offline on the Verify page — it runs entirely in your browser, nothing is uploaded.