RegisteredBrands.AI
Security

Responsible Disclosure Policy

RegisteredBrands.AI (operated by RootVaultAI LLC) is a trust infrastructure platform where security is foundational. If you've discovered a vulnerability in our systems — including our APIs, cryptographic implementations, payment flows, or AI agent interfaces — we want to hear from you.

Effective Date: March 3, 2026

Our Commitment to Security

As a platform that handles cryptographic identity, USDC payments, and AI agent verification, we hold ourselves to the highest security standards. Every vulnerability report is treated with urgency, transparency, and respect for the researcher.

24-Hour Acknowledgment

We acknowledge every valid report within 24 hours. You'll receive a tracking ID and a dedicated point of contact from our security team.

Transparent Process

We keep you informed at every stage — from triage to patch to public disclosure. No black holes, no silence.

Recognition & Rewards

Researchers who report valid vulnerabilities are credited in our security advisories (with your permission) and may be eligible for monetary rewards based on severity.

How to Report a Vulnerability

1

Send your report

Email [email protected] with a detailed description of the vulnerability. Include steps to reproduce, affected endpoints or components, proof-of-concept code, and the potential impact. For cryptographic or payment-related issues, include the specific algorithm, contract address, or transaction flow affected.

2

We acknowledge and triage

Within 24 hours, we'll confirm receipt, assign a severity rating (Critical / High / Medium / Low), and provide a tracking ID. Payment and cryptographic vulnerabilities are automatically escalated to Critical triage.

3

We investigate and patch

Our engineering team investigates the report, develops a fix, and deploys it. For critical issues affecting payments or cryptographic integrity, we target a 24-hour resolution window. For other critical issues, 72 hours.

4

We notify and credit

Once the fix is deployed, we notify you, publish a security advisory if appropriate, and credit you as the discoverer (with your permission). Monetary rewards are determined based on severity and impact.

Scope

In Scope

  • registeredbrands.ai and all subdomains
  • API endpoints (/api/v1/*, /api/trpc/*)
  • .well-known endpoints and manifests
  • Authentication and session management
  • Ed25519 signature generation and verification
  • Canonical JSON serialization logic
  • USDC payment flow (wallet connect → transfer → verification)
  • On-chain transaction verification logic
  • Stripe payment integration and webhook handling
  • Trust score computation and manipulation vectors
  • AI agent verification endpoints
  • Admin API and approval queue logic
  • Entitlement token issuance and validation
  • Rate limiting and access control bypass

Out of Scope

  • Social engineering or phishing attacks on our team
  • Denial of service (DoS/DDoS) attacks
  • Physical security of offices or data centers
  • Third-party services (Stripe dashboard, DNS providers, blockchain networks)
  • USDC smart contract vulnerabilities (report to Circle)
  • Base or Ethereum network-level vulnerabilities
  • Wallet software vulnerabilities (MetaMask, etc.)
  • Issues already known or being addressed
  • Automated scanning without prior approval
  • Vulnerabilities in outdated browsers
  • Reports without clear reproduction steps
  • Clickjacking on pages with no sensitive actions

Crypto and Payment-Specific Concerns

Payment Flow Vulnerabilities

Issues in our USDC payment verification, including: bypassing on-chain verification, spoofing transaction hashes, manipulating payment amounts, or activating entitlements without valid payment.

Cryptographic Issues

Weaknesses in our Ed25519 implementation, canonical JSON serialization, signature verification bypass, key management, or entitlement token forgery vectors.

AI Agent Abuse Vectors

Methods by which AI agents could abuse verification endpoints, bypass rate limits, manipulate trust scores, or exploit the approval queue to execute unauthorized actions.

Safe Harbor

We consider security research conducted in accordance with this policy to be authorized, lawful, and helpful. We will not pursue legal action against researchers who:

  • Act in good faith to avoid privacy violations, data destruction, and service disruption
  • Report vulnerabilities promptly and provide reasonable time for remediation before any public disclosure
  • Do not access, modify, or delete data belonging to other users
  • Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
  • Do not initiate real USDC transactions or interact with production payment flows during testing (use testnet or coordinate with us)
  • Do not attempt to forge entitlement tokens or cryptographic signatures for unauthorized access
  • Follow the reporting process described in this policy

If legal action is initiated by a third party against you for activities conducted in accordance with this policy, we will take steps to make it known that your actions were authorized under our responsible disclosure program.

Response Timeline

SeverityAcknowledgmentResolution TargetExamples
Critical< 4 hours24–72 hoursPayment bypass, key compromise, auth bypass
High< 12 hours7 daysTrust score manipulation, rate limit bypass
Medium< 24 hours30 daysInformation disclosure, CSRF
Low< 24 hours90 daysMinor UI issues, verbose errors

Report a Vulnerability

Send your report to our security team. Include reproduction steps, affected endpoints or components, and any proof-of-concept code. For payment-related issues, include transaction details.

[email protected] security.txt

Security is foundational to trust. If you're building AI agents that transact autonomously, your brand's integrity starts with verifiable identity.

Protect Your Brand — Register a Capsule