Security advisories

Receipt‑linked, append‑only advisories feed. Missing or unverifiable signatures must yield HOLD (fail‑closed).

Disclosure policy (VDP) Receipt ceremony (runbook) Open feed (NDJSON) Open root (DSSE scaffold)

Lookup

Query:

Loading…

    Expected outputs

    • PASS: feed root and referenced advisory entry verify deterministically.
    • FAIL: integrity mismatch or policy violation (tamper‑evident).
    • HOLD: missing/unverifiable signatures or incomplete evidence (fail‑closed).

    Tip: use Receipt Finder (⌘K / Ctrl+K) and paste a CVE-… or MVG-ADV-… id.

    Feeds & artifacts

    Append‑only feed
    NDJSON lines: each entry contains pointers to an advisory JSON + detached signature.
    /security/advisories/advisories.ndjson
    Open
    Root (DSSE scaffold)
    DSSE payload references the feed sha256. Publish signatures via controlled ceremony.
    /security/advisories/advisories.root.dsse.json
    Open
    Signed checksums (receipt)
    Deterministic verification entrypoint for auditors (manifest + detached signature).
    /security/advisories/SHA256SUMS.advisories
    gpg --verify SHA256SUMS.advisories.asc SHA256SUMS.advisories
    Open Signature

    Official channel for reports: security@meridianverity.com. If a claim cannot be traced to published receipts, treat it as unverified.