Security
Built for the
post-quantum era.
We assume the adversary has a quantum computer, a foothold in your CI, and a forged TLS cert. The protocol holds anyway.
Cryptographic primitives
What we ship.
- SignaturesML-DSA-65 (Dilithium-3) — NIST FIPS 204
- Hybrid modeEd25519 + ML-DSA-65 detached signatures
- HashingSHA-3 / SHAKE-256
- EntropyQRNG (ANU + IDQ feeds, attested per-issuance)
- Key storageOwner-held; non-custodial by default
- AnchorBase + Linea L2; ENS resolver via CCIP-Read
Posture
How we operate.
Threat model
Adversary with quantum compute, network MITM, compromised dependency, malicious resolver gateway. Out of scope: physical extraction of owner-held keys.
Audits
Resolver contract audit by Trail of Bits (Q1 2026). PQC implementation review by Cure53 (Q2 2026). Reports publish to /security/reports as completed.
Bug bounty
Up to $50,000 for critical issues in the resolver, registry, or signature path. Scope and policy at /security#bounty.
Disclosure
Encrypted intake at security@qguid.xyz (PGP key below). 90-day coordinated disclosure window, faster on request.
Disclosure
Found something? Tell us first.
security@qguid.xyz · PGP fingerprintverified
4096R / A7F2 9C81 4D6E B033 51A2 6F8C 9D44 EE21 7B0A 8C19 Severity Bounty (USD) ───────────────────────────────── Critical up to $50,000 High up to $15,000 Medium up to $4,000 Low $250 + swag Out of scope: rate-limit issues, missing security headers on marketing pages, social engineering, third-party services.