Vauban / Trust Center

Security — Vauban Trust Center

Audience: all

Last updated:

Security Disclosures

Responsible Disclosure

Vauban welcomes security researchers reporting vulnerabilities responsibly.

Contact : security@vauban.tech

Encrypted communication : PGP key fingerprint TBD Phase 1+ (publication post-Vauban-Tech SAS incorporation).

Response SLA :

  • Acknowledgment : 24 hours
  • Initial assessment : 72 hours
  • Fix timeline communication : 7 days

Bug Bounty Program

Status : planned Phase 2+ (post-CSPN visa Q3-Q4 2027). Currently no monetary rewards, but acknowledgments and CVE attribution available.

Security Architecture

4 Piliers Non-Négociables

  1. ZK Privacy-First — no PII on-chain unencrypted, commitment schemes (Poseidon hash + salt)
  2. Post-Quantum (STARKs) — no SNARKs Groth16/PLONK, post-quantum resistant
  3. Zero Trust — verification systematic at all boundaries, no implicit trust
  4. Sovereignty — exit plan documented every external dependency

Authentication Stack

7 mechanisms unified (per Vauban Auth v0.4.0) :

  1. Wallet SNIP-12 (Starknet wallet signatures)
  2. Session keys (account abstraction Starknet)
  3. OAuth + derived AA (account abstraction derived from OAuth identity)
  4. JWT (ES256 asymmetric signing + HS256 legacy)
  5. API keys (legacy + service tokens)
  6. Webhook HMAC (server-to-server)
  7. client_credentials M2M (OAuth 2.1)

DPoP RFC 9449 implemented for all MCP write endpoints (Brain, Citadel, Starknet MCP, Command Center).

Cryptographic Standards

  • STARKs only for ZK proofs (post-quantum, no trusted setup)
  • Poseidon for privacy-critical hashes (ZK-friendly)
  • Pedersen legacy compatibility only
  • ES256 (P-256 ECDSA) for JWT signatures
  • TLS 1.3 for all transport

MCP Security (per OWASP MCP Top 10)

  • MCP04 Command Injection — no unsanitized params to shell, allowlist + reject metacharacters
  • MCP07 Insufficient Authentication — mTLS or OAuth 2.1, no anonymous, token lifetime ≤30 days
  • MCP09 Shadow MCP Servers — pinned URLs, TLS cert pinning, no dynamic discovery
  • All MCP tool input schemas : .strict() (Zod) or additionalProperties: false (JSON Schema)

RFC 9116 security.txt

Planned publication Phase 1+ at /.well-known/security.txt :

Contact: mailto:security@vauban.tech
Expires: 2027-12-31T23:59:59.000Z
Encryption: TBD Phase 1+ (PGP key)
Acknowledgments: https://trust.vauban.tech/security#acknowledgments
Preferred-Languages: en, fr
Canonical: https://trust.vauban.tech/.well-known/security.txt
Policy: https://trust.vauban.tech/security

Security Hardening Status

ComponentStatusSource
OAuth 2.1 PKCE on /mcp✅ ActiveV8 unified MCP rollout
TOOL_SCOPE_MAP citadel✅ ActiveMCP Audit Phase 2-3
MCP rate limiting✅ Active (Traefik 20req/s)Production
SDK CVE fixes✅ Active (^1.27.1 all 5 servers)brain-mcp v0.7.9 published
DPoP RFC 9449✅ Active (starknet-mcp + Vauban Auth + Bastion)17 tests total
SealedSecrets CC_CLIENT_*⏳ Phase 1.0 pendingMCP Audit remediation
NEXT_PUBLIC_ env dump in layout.tsx⏳ Critical pending (server proxy needed)MCP Audit remediation
Phase 2.5 DeFi apps audit⏳ PendingMCP Audit remediation

Security posture score : 98/100 (per MCP Audit ALL phases complete 1.0→3.3, 2 critical remaining)

Acknowledgments

(Empty currently — initial Trust Center MVP. Acknowledgments will be published as researchers report and we remediate.)

Cross-references

  • Threat model surface : governance/threat-model/per-product-surface.md
  • F-THREAT-1 Crypto : docs/threat-model/01-crypto.md (Pair 5 strategist deep, RETAINED)
  • MCP tool hardening rule : .claude/rules/security/mcp-tool-hardening.md
  • Compliance : compliance.md
  • Architecture attestation : architecture-attestation.md
  • Contact : contact.md