Trust is built,not claimed.
A single page that tells you, at any moment, what Zbelthas has actually done for your security — and what is still a promise. We would rather be clear about what we have not done yet than exaggerate what we have.
The four pillars
Architectural readiness
Zbelthas is designed for GDPR, eIDAS 2.0, NIS2, DORA, MiCA, CRA and EU AI Act by structure: non-custodial, serverless, zero-metadata. The architecture does the compliance work, not the paperwork.
Public audit policy
All future third-party security audits will be published here in full, including findings that were not fixed yet and why. No cherry-picking.
Reproducible builds (target)
We are working towards bit-for-bit reproducible release artifacts so anyone can rebuild the binary from source and verify it matches the download.
Post-quantum signed releases (target)
Releases will be signed in hybrid mode (Ed25519 + ML-DSA-87). The public keys will be published here and in the docs.
Responsible disclosure
We welcome vulnerability reports from the security community. Reach us at security@zbelthas.com and follow the rules below. A coordinated bug-bounty programme is not yet public; when it is, it will be listed here with scope and rewards.
- Report in private first — do not publish details before we have responded.
- Do not exfiltrate user data. Stop once you have proof of concept.
- Do not degrade service (no stress/DoS, no spam of third parties).
- Acknowledgement within 72 hours; triage within 7 days; fix schedule communicated transparently.
- Safe-harbor: researchers acting in good faith under this policy will not be pursued.
- Out of scope: social engineering of staff, physical attacks, third-party services we do not operate, recently disclosed CVEs (<30 days) in upstream dependencies.
Where to reach us
What is still a promise
Being honest about gaps is part of security. These are commitments we have not yet delivered publicly:
- Independent third-party security audit (planned; budget requires community support).
- Public bug-bounty programme with defined rewards.
- Fully reproducible build pipeline for release artifacts on all supported platforms.
- Transparency report with volume of legal requests (will be published annually once data exists).
- Signed SBOM for each release.
Progress on each item will be reflected here. If you can help accelerate any of them, see the Donate page.
At a glance
These are architectural facts (how the product is built), not usage metrics. We do not collect usage metrics.
Mathematical Transparency & Independent Audits
Our security claims are designed to be mathematically verifiable. We are committed to rigorous third-party security audits that provide cryptographic proof of our architecture's integrity.
Professional security audits require significant investment. Community support enables us to obtain independent certifications from recognized security firms, providing transparent validation of our security model.
Where others make marketing claims, Zbelthas provides cryptographic proof.
Code Audits
- Full source code review by security experts
- Vulnerability assessment and penetration testing
- Memory safety verification in Rust implementation
- Zero-unsafe code validation
Cryptographic Audits
- Post-quantum algorithm implementation review
- Key generation and management validation
- Side-channel attack resistance testing
- Mathematical proof of security properties
Audit Transparency Commitment
All security audit reports will be published publicly. We believe in radical transparency—users deserve to see exactly what security experts found, what was fixed, and what guarantees our architecture provides. No hidden vulnerabilities, no marketing spin, just cryptographic facts.