PGP / GPG

Encryption for the sensitive ones.

Use this key to encrypt any vulnerability report that contains exploit code, tokens, or other material you would prefer not to send in cleartext. Email itself is not a trustworthy channel — this fixes that.

Current key

Aevrix Security <[email protected]>.

Status   Key onboarding in progress.

The dedicated PGP keypair for security@aevrix.org is being generated on hardware-backed storage and will be published here once cross-signed. Once published, this section will show:

  • The full openpgp4fpr 40-character fingerprint
  • An ASCII-armoured public-key block
  • A WKD-discoverable URL at https://aevrix.org/.well-known/openpgpkey/hu/...
  • The expected next-rotation date

Until then: send your report in plaintext if you cannot encrypt; we will move to an encrypted channel during the first reply. Do not delay reporting because the key is not yet published.

Verifying our key

How you'll know it's real.

  • The fingerprint will be published here, at /.well-known/security.txt, and on the aevrix.dev site under /.well-known/openpgpkey/hu/.
  • The key will be cross-signed by an existing Aevrix corporate identity key already on keys.openpgp.org.
  • If the fingerprint shown to you anywhere does not match the one on this page over HTTPS, do not trust it. Email security@aevrix.org in plaintext and report the discrepancy.
Rotation policy

Cadence and revocation.

  • The signing key has a published expiration date; we rotate annually with a roll-over signing period of 30 days during which both keys are valid.
  • If a key is compromised, we will publish a signed revocation, replace the key on this page, and notify all in-flight reporters by reply.
  • Old expired keys remain on the page (clearly marked) for historical decryption of past correspondence.
Alternative channels

If PGP is not your tool.

  • You may upload a redacted PoC to a private, expiring share (e.g., Bitwarden Send, OnionShare) and email the link to security@aevrix.org.
  • For extreme cases, we will set up a Signal contact during the first reply — do not seed it ahead of contact.
  • We do not run a Tor onion service for vulnerability intake. We may add one if researchers ask.

Ready when you are.

Plaintext is fine for first contact. Switch to encrypted on second reply.

security@aevrix.org security.txt