Security · coordinated disclosure
Report it. We won't threaten you for it.
A trust system that can't take a vulnerability report isn't trustworthy. Report security issues to security@truststandardprotocol.com — good-faith research is met with coordinated handling, not legal threats.
Security posture
How we handle keys, disclosure, and your verification.
- Coordinated disclosure: report → triage → fix → disclose → credit. No legal threat for good-faith research.
- Separate dev / staging / production keys; rotation and revocation are tested before launch, and no production keys live in public repos.
- No phone-home for self-hosted verification, no hidden telemetry, and no remote kill switch for free verification.
- The root public key is published — on the site, in each SDK, and in /.well-known — so anyone can verify the certificate chain offline.
Coordinated disclosure
The machine-readable contacts.
The canonical contact and policy live in security.txt; the protocol surface descriptor lives in tsp.json. Both are linked below and from the agent surface.