Last updated: May 28, 2026. statecraft.fyi intentionally uses a conservative host-only HSTS policy for the static distribution/docs site. Relay HSTS is managed separately on relay.statecraft.fyi.

Contact

Send security reports to [email protected]. If mail delivery fails, use [email protected] and include security in the subject. We aim to acknowledge new reports within 48 hours and provide an initial assessment within 7 days.

Scope

In scope:
  • Envoy CLI.
  • Envoy relay.
  • Envoy CLI, relay, Connected, and cryptographic behavior.
Out of scope:
  • Social engineering.
  • Denial-of-service reports that do not include a distinct security impact.
  • Vulnerabilities in third-party dependencies that have not been shown to create an Envoy-specific impact.

Disclosure

Use coordinated disclosure. Please give Entropic Space Corporation up to 90 days to investigate, fix, and release before public disclosure. We will credit researchers in release notes when they want credit and when the report results in a security fix. Envoy does not currently operate a bug bounty program. Reports are still welcome during early access.

Release Verification Trust Root

Envoy release downloads are verified with a signed SHA256SUMS manifest. The installer and manual verification flow trust this release checksum public key: 
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAeVK5EDP2zgidmolX5Xpehp7JqENtbPAF2egFUGqPSv [email protected]
Use principal envoy-release and namespace [email protected] when verifying SHA256SUMS.sig.