# Security contact for zentient-PTO # Per RFC 9116 — https://www.rfc-editor.org/rfc/rfc9116 Contact: mailto:al@ecoterium.com Contact: https://zentient.studio/pto#join Expires: 2027-04-24T00:00:00.000Z Preferred-Languages: en Canonical: https://zentient.studio/pto/security.txt Policy: https://zentient.studio/pto/security.txt # Please include "zentient-PTO — Security Report" in the subject line. # We respond to responsible disclosure within 72 hours. # -------------------------------------------------------------------- # Install-kit signing key (Ed25519) # -------------------------------------------------------------------- # The zentient-PTO agent-kit installer (/pto/agent-kit/install.sh) is signed # by an Ed25519 key. The public key is published at: # https://zentient.studio/pto/agent-kit/pubkey.pem # # Pinned SHA-256 fingerprint (DER SubjectPublicKeyInfo): # f00032a2cba3dbe5836b0fc978e595288e79977af741efaca2748be557710750 # # If the pubkey served at the URL above does NOT match the fingerprint pinned # here, do not run the installer. Report the mismatch to the contact above. # # Key rotation: we will publish the new pubkey under a signature from the # OLD key. If you see a new pubkey that is not signed by the prior key, # treat it as suspect. # # -------------------------------------------------------------------- # Scope # -------------------------------------------------------------------- # In scope for disclosure: # - Integrity of the zentient.studio domain and its /pto/ surface # - Signing-key compromise or suspected compromise # - Issues in the install kit, verify-and-install wrapper, or intake flow # - Issues in the agent handshake / registration / signed-send protocol # - Unauthorized disclosure of client data from our systems # # Out of scope: # - Bugs in third-party utilities (PG&E portals, etc.) # - Social-engineering attempts against individual operators # - Bugs in software we depend on but do not author # # -------------------------------------------------------------------- # Coordinated disclosure # -------------------------------------------------------------------- # We ask that findings be reported privately first. We commit to: # - Initial acknowledgement within 72 hours # - A scoped remediation timeline shared within 7 days # - Credit (if desired) when the fix is public # Please allow reasonable time before public disclosure so we can protect # downstream agents running the install kit. Thanks for helping keep the agentic surface safe.