§ LEGAL — SECURITY
Security by construction.
How AETHER protects value, identities and integrity at the protocol, infrastructure and operational layers. How to report a vulnerability. How we respond.
Key management
- Roots in HSM. All root keys are generated, stored and used exclusively inside FIPS 140-3 Level 3 hardware security modules.
- MPC for signing. Production signing operations use threshold MPC across geographically separated participants. No single host has signing authority.
- Key ceremony. Documented, recorded and observed by independent witnesses. Ceremony artefacts are sealed and archived.
- Rotation. Scheduled rotation on a defined cadence, plus event-driven rotation on personnel or environment changes.
Infrastructure
- Multi-region by default. No single-region failure removes a service from operation. Active-active across at least three regions per service.
- Encrypted everywhere. TLS 1.3 on all external interfaces. mTLS on internal service-to-service traffic. AES-256-GCM at rest.
- Reproducible builds. Production binaries are reproducibly built from source. Build provenance is published with every release.
- Zero trust. No flat networks. Every request — human or machine — is authenticated, authorised and logged at the call site.
Threat model
AETHER protects against credible attacker classes including malicious insiders, supply-chain compromise of dependencies and build infrastructure, network-level interception, key-extraction attempts on HSM-protected material, and coordinated availability attacks at the edge.
A short threat-model summary is maintained and published with each major release; the long-form document is shared with counterparties under NDA.
Responsible disclosure
We welcome reports of suspected vulnerabilities and we will not pursue legal action against good-faith researchers who follow this policy.
- Scope
- All AETHER-operated services, public APIs, SDK packages, and assets in our
security.txt file.
- Out of scope
- Customer-operated deployments, denial-of-service testing without prior coordination, social-engineering of staff or contractors.
- How to report
- See
/.well-known/security.txt for the current PGP-encrypted intake address and key. Use the contact form as a fallback.
- Acknowledgement
- Within one business day. Triage classification within five business days. Status updates at least weekly until resolution.
Bug bounty
A bounty programme is in operation for in-scope production assets. Reward tiers are aligned with CVSS severity and reproducibility. Severe findings (Critical or High with confirmed material impact) qualify for additional discretionary uplifts. Full programme terms are published on the disclosure portal.
Post-incident transparency
Post-mortems for every Sev-1 and Sev-2 incident are published within seven days of resolution and remain on the public record permanently. We do not redact root-cause details unless a specific legal or victim-safety constraint applies.
Report a vulnerability
Use the address in /.well-known/security.txt or the contact form as a fallback. We answer security reports first.