Meridian Verity Group Receipts, not promises
Auditors: start at Trust Center
Trust • Audit-ready

Security review packet (public • procurement-safe)

A procurement‑grade Security Review Packet built for Big Tech / Fortune 500 diligence: architecture & trust boundaries, verification workflow, threat model, and canonical evidence pointers.
Public • procurement‑safe. Offline‑first. Missing proof ⇒ HOLD (fail‑closed).

Truth strip Reviewer routing v80.5

Single-source reviewer navigation. If any page text conflicts with a signed receipt, treat it as HOLD and follow the receipt.

/trust/reviewer-index/ Reviewer Index Key roles Site‑release latest
/.well-known/mvg-reviewer-index.json Machine index Signature
Canonical pointer /.well-known/mvg-prod.json (+ .asc) is the single signed production pointer. Determine state from signature validity (fail‑closed): missing ⇒ HOLD; invalid ⇒ FAIL; valid signature ⇒ proceed to verify referenced receipts offline.
Key roles site_release_verification_keyring_url = /trust/site-release/latest/pgp.asc · security_contact_encryption_key_url = /pgp.asc · security.txt
Verifier states PASS: all required proofs verify · HOLD: proof is missing, withheld, or unverifiable (fail‑closed) · FAIL: proof is present but invalid or inconsistent.
Download boardroom packet (PDF) View boardroom metadata (JSON)Open canonical proof-linked packet Back to procurement 1‑pager

Two-track reviewer flow: the boardroom packet is the premium front-door read; the canonical packet remains the transparency-linked procurement artifact.

Disclosure scope

This packet is a public, procurement‑safe security overview. It omits private keys, internal network topology, and exploitation playbooks by design. Deeper materials (key management details, IR runbooks, audit reports) are available under NDA.

Committed to the proof chain (Phase 1.5.1)

This PDF is not “marketing copy” — its sha256 is committed into the append‑only procurement transparency log. Verify by comparing sha256(packet.pdf) to entry.artifacts.security_review_packet_pdf.sha256 in PROD inclusion proof (or DEMO inclusion proof).

Discoverable from the procurement DSSE: predicate.security_review_packet (url · meta_url · verify_hint).

AIMS descriptor (public-safe): /.well-known/mvg-aims.json (+ .asc)
Safety IR descriptor (public-safe): /.well-known/mvg-safety-ir.json (+ .asc)
Impact assessment descriptor (public-safe): /.well-known/mvg-impact-assessment.json (+ .asc)

Optional: Controls mapping pack (SOC 2 / ISO / NIST + OWASP ↔ MVG) — Receipt SHA256SUMS.controls_mapping (+ .asc) · Files: PDF · OWASP Agentic ↔ MVG PDF. (public-safe)

Optional hardening: Trusted Types readiness (opt‑in; not enforced by default).

Attach 1 URL (DSSE)

Canonical procurement pointer. Detached signatures are authoritative; if they are unpublished, the correct reviewer output is intentional HOLD with a deterministic next-step runbook.

https://meridianverity.com/.well-known/mvg-procurement-ticket-pack.dsse.json
Open Pass Kit Verify offline Signing ceremony runbook

Responsible disclosure

Report security issues securely. PGP available.

security.txt · Policy

security@meridianverity.com

Key roles (verification vs encrypted contact)

Meridian Verity Group Evidence-first assurance

© 2026 Meridian Verity Group

Trust Legal Contact