Security · epochpay.today
Vulnerability disclosure & security posture.
How to report a vulnerability, what's in and out of scope, our acknowledgment SLAs, supply-chain posture, and the cryptographic substrate that underpins every payment receipt. Researcher-side details live in /.well-known/security.txt per RFC 9116.
Report a vulnerability.
- Primary channelEmail security@epochpay.today. Same-day acknowledgment during US business hours; within 24 hours otherwise.
- Encrypted attachmentsPGP key fingerprint and ASCII-armored public key published at
/.well-known/security.txt(forthcoming) — until that's live, encrypted attachments via age or signed Keybase chat acceptable on request. - Triage SLACritical (active exploitation, key disclosure): 24 hours · High (auth bypass, signature forgery): 72 hours · Medium / Low: 5 business days.
- Coordinated disclosure90-day default disclosure window from triage date; extensions on agreement for vendor-side coordination. Researchers credited in /trust hall-of-fame on request.
- Safe harborGood-faith research within stated scope is authorized and will not result in legal action by EpochCore LLC.
Scope.
In scope
- epochpay.today (worker: dkap-pay)
- The /verify public verifier
- The
/v1/pay/pubkeyand/v1/watersealendpoints - Receipt forgery (any ML-DSA-65 signature bypass)
- WORM chain tampering or replay
- Authorization bypass on
/v1/*merchant routes - Snapshot seal forgery (/snapshots)
Out of scope
- Social engineering of EpochCore staff
- Denial-of-service (resource exhaustion)
- Physical access to data centers (we don't operate any)
- Third-party services we don't run (Cloudflare, Coinbase Base, Stripe, banking partners)
- Reports requiring stolen / leaked credentials we did not issue
- Best-practice findings without a concrete attack scenario (TLS cipher preferences, header missing/extra)
Threat model summary.
- Receipt forgeryAn attacker forges a receipt that /verify accepts. Mitigation: every receipt carries an ML-DSA-65 signature (NIST FIPS 204) over the canonical receipt hash. Public key fingerprint at
/v1/pay/pubkey; rotation is logged in the WORM chain. - Chain rewriteAn attacker silently rewrites a past WORM entry. Mitigation: every entry chains to the prior via triple-hash (SHA-256 + SHA3-512 + BLAKE3); chain head at
/v1/watersealis publicly verifiable. - UI tamperingAn attacker changes a number on a public page (compliance claim, retention period, fee). Mitigation: every public page is captured nightly via Cloudflare Browser Rendering and sealed (pixelHash + blake3 + sha3-512 + ed25519). Snapshots at /snapshots.
- Supply-chain compromiseA dependency or sub-processor is compromised. Mitigation: /trust/regulatory lists every sub-processor; build receipts seal the exact code that was deployed; D1 + R2 are managed by Cloudflare with their own SOC 2 / ISO posture.
- Key compromiseThe ML-DSA-65 service key is exfiltrated. Mitigation: key rotation logged in the WORM chain; older keys remain verifiable for historical receipts; rotation rehearsal in 2026-Q3 roadmap.
- Post-quantum riskAn attacker with a future quantum computer breaks classical signatures retroactively. Mitigation: receipts are signed post-quantum by default (ML-DSA-65 / FIPS 204); classical-only signing is not in any code path.
Cryptographic substrate.
- Signature schemeML-DSA-65 (NIST FIPS 204). Implementation via
@noble/post-quantum. - Content hashSHA-256 of canonical-JSON receipt payload (RFC 8785).
- WORM chain hashSHA-256 + SHA3-512 + BLAKE3 (triple-hash) of
{prev_seal_hash, content_hash, ts, idx}. - Public verifier/verify accepts pasted intent + receipt JSON and returns the verification result + chain link with no API key required.
- Snapshot sealpixelHash (pHash of the rendered image) + blake3 + sha3-512 + Ed25519 signature over the canonical seal envelope.
Supply chain.
- RuntimeCloudflare Workers (V8 isolates, no VMs). D1 (SQLite) for merchants + intents. R2 for receipt envelopes. KV for state + status checks.
- DependenciesOne production dependency:
@noble/post-quantum(audited TypeScript). Build-receipt seals the exact dependency tree per deploy. - Sub-processorsSee /trust/regulatory for the full list.
Disclosure history.
No public disclosures to date. As reports come in and are remediated, they'll be listed here (date, category, credit if requested).
Want a deeper conversation?
Security review for procurement / compliance: email trust@epochpay.today. SOC 2 bridge letter available on request; Type II report target Q4 2026 (see /trust for the full posture).