Security & trust

Evidence-driven by design.

AegisCore is built to produce forensic-grade evidence — and the platform itself is built the same way. This page documents how the evidence pipeline works, how to disclose a vulnerability, and which compliance frameworks AegisCore supports.

Evidence pipeline

Cryptographic chain of custody

Tamper-aware evidence handling is not an add-on. It is the core of how AegisCore records every operation.

SHA-256 hash chain

Every evidence record links to the previous one through a SHA-256 hash chain. Tampering with any entry breaks the chain and is immediately detectable.

HMAC-SHA256 internal signing

Internal artifacts are signed with HMAC-SHA256, binding each record to the runtime that produced it.

Ed25519 export signing

Evidence leaving the platform is signed with Ed25519, so a third party can verify provenance and integrity without trusting the transport.

NIST SP 800-86 alignment

Chain-of-custody semantics are aligned to NIST SP 800-86 guidance on integrating forensic techniques into incident response.

Build integrity

Every release ships with proof

AegisCore v1.5.19 carries 165 signed release-proof artifacts. Each documents one engineering step — the commands run, the output produced, and an explicit claim boundary stating what the proof does and does not establish. The build also carries a pentest simulation that currently blocks 49 of 49 known attack vectors, and 6,588 automated tests.

Installers ship with a SHA256SUMS file and an Ed25519-signed manifest. Verify both before installing — the steps are in every release's notes.

Verification at a glance

Release proofs: 165 signed artifacts
Pentest simulation: 49 / 49 vectors blocked
Automated tests: 6,588 passing
Manifest signature: Ed25519
Evidence chain: SHA-256 + HMAC-SHA256

Responsible disclosure

Found something? Tell us.

We welcome good-faith security research. If you believe you have found a vulnerability in AegisCore, contact us directly — we respond, we coordinate, and we acknowledge researchers who help us improve.

Report via security@redviasystems.com — PGP key published for encrypted submissions
Coordinated disclosure with a 90-day standard timeline
Good-faith research within scope is welcomed and acknowledged
machine-readable policy at /.well-known/security.txt

security contactsecurity@redviasystems.com

PGP-encrypted reports preferred. Public key and full policy below.

PGP public keypgp.txt Full disclosure policypolicy.txt Machine-readable contactsecurity.txt

Compliance

Audit-ready evidence, generated continuously

AegisCore maps its operations to the frameworks regulated organisations are measured against — and generates signed evidence as it runs.

SOC 2 — 50 mapped controls with signed evidence

NIS2 — Article 21 risk-management and Article 23 reporting support

HIPAA — access review and audit-trail evidence

ISO 27001 — control mapping and evidence generation

Framework alignment describes AegisCore's evidence and control mapping. It is not a substitute for an organisation's own certification audit.

Inspect the evidence trail yourself

Download the free Community edition and examine the release proofs, the signed manifest and the evidence pipeline first-hand.

Download free Read the blog