Security.

Report a vulnerability

Found a security issue in this site, our releases, or our infrastructure? Email security@attestree.com. We aim to acknowledge within two business days and to keep you updated through resolution. We support coordinated disclosure and will not pursue legal action against good-faith research that respects this policy and our users' privacy.

Scope

In scope: attestree.com and its subdomains, the Attestree Community Edition image, and our published open-source components.
Out of scope: third-party services we use (please report those to the vendor), social engineering, and volumetric denial-of-service.

Our posture

The domain enforces SPF, DKIM, and DMARC (p=reject). Changes to this site are made through signed, verified commits; CI actions are pinned by commit SHA with least-privilege tokens; dependencies are lockfile-pinned and audited. The Community Edition image is cosign-signed, and the installer shim ships with build provenance.

Honest about state

Attestree is pre-GA. The free Community Edition signs its audit chain with a local, dev-grade key — fine for a homelab, not for regulatory submission. Hardware-backed signing and auditor-ready evidence are commercial-tier capabilities. We say so wherever it matters.