Security

Security, threat model, and disclosure

Evidence tooling only earns trust if it is honest about exactly what it proves and what it does not. Here is the precise scope of Provenrail's guarantee, how anyone can verify it independently, and how to report a vulnerability.

The guarantee What it does not claim Independent verification Conformance Primitives Report a vulnerability

The integrity guarantee

Once a record reaches the sink, it is sealed into an append-only, hash-chained sequence and signed. From that point on:

Tamper-evident

Altering, reordering, or deleting any record breaks the chain and the verifier reports it. A coherent rewrite of the whole chain is caught by the independent server receipt chain and the anchor.

Independently dated

The hash chain seals ordering on every plan. Builder and higher plans add RFC 3161 timestamps from an external authority, so the timing cannot be back-dated even by Provenrail.

Verifiable by anyone

The proof travels with the record. A third party recomputes every hash, signature, receipt, and anchor with an open-source tool, offline, trusting neither the agent, the sink, nor Provenrail.

Witnessed

On Builder and higher plans, the transparency log is cosigned by independent witnesses, so the log operator cannot show different histories to different parties without detection. On the Free plan the log is append-only and internally consistent, but not independently witnessed.

Hash-chain tamper-evidence holds on every plan, including the free tier, and never depends on a commercial license. RFC 3161 anti-backdating and independent witness cosignatures are Builder and higher, because they bring in external third parties. The core integrity is in the math, not in the subscription.

What it deliberately does not claim

Overclaiming is how evidence tooling loses credibility. Provenrail is explicit about its limits:

Not completeness

Provenrail attests that what was recorded is intact, never that everything was recorded. An agent that does not call the SDK will not appear. Completeness is never attested.

Not a security control on the operator

The commercial tier check is a billing control, not DRM. The server is open source; the integrity guarantee never depends on it.

Not legal advice or certification

It makes records tamper-evident and verifiable. It does not, on its own, make you compliant, and it is not a substitute for counsel.

Not a guarantee of truthfulness

It proves a record was not altered after it was sealed. It cannot prove the agent's inputs to that record were honest in the first place.

Independent verification

The verifier is open source and runs with no account and no network call to us. Anyone you hand a record to can confirm it themselves:

In a browser at provenrail.com/verify, where the bundle never leaves the device.
On the command line with pr verify bundle.json.
See it both ways: a verified record and the same record tampered and rejected.

Conformance: two implementations, one answer

A verifier you cannot check is just another thing to trust. Provenrail ships a frozen suite of public conformance vectors, and two independent implementations, the Python verifier (pr verify) and the in-browser JavaScript verifier, must agree on every one of them. If they ever diverged, the test suite would fail. That lockstep is what lets a counterparty pick whichever implementation they trust and still get the same verdict.

Why this matters. Independent verifiability is only real if more than one party can build a verifier and get the same result. Frozen vectors plus two agreeing implementations are how we hold ourselves to that, in public. See the full suite on the conformance page.

Cryptographic primitives

Signing: Ed25519 over canonical record bytes.
Chaining: SHA-256 hash chains, with an independent server receipt chain so a coherent client-side rewrite is still caught.
Trusted time: RFC 3161 timestamps from an external timestamping authority (Builder and higher).
Transparency log: an append-only log, with independent witness cosignatures on Builder and higher.
Redaction: fields can be redacted while remaining verifiable, with operator-held openings to disclose them later.

The SDKs, the verifier, and the spec are open source under MIT; the server is AGPL-3.0. You can read exactly how every check works.

Reporting a vulnerability

If you find a security issue, please report it privately first. We will acknowledge, investigate, and keep you updated, and we will credit you if you wish once a fix ships.

Email [email protected] (or [email protected]).
Please do not publicly disclose until a fix is available.
Machine-readable policy: /.well-known/security.txt.

We especially want to hear about anything that would let a record pass verification after being altered, or fail verification while genuinely intact. Those are the bugs that matter most for an evidence tool.

← Back to home