last-mile verification for trust infrastructure.
spec (canonical): https://github.com/1seal/lmv-spec overview: https://1seal.org/protocols/
this repo contains org-level metadata and pointers (including security policy).
canonical spec artifacts live in https://github.com/1seal/lmv-spec
mirror (legacy): this repo also contains copies under docs/:
docs/THREAT_MODEL.mddocs/NON_GOALS.mddocs/protocols/DEGRADED_MODE.mddocs/protocols/APPEAL_RESOLUTION.mddocs/protocols/INVARIANT_LIFECYCLE.mddocs/protocols/ERROR_COST_FRAMEWORK.md
canonical list of published advisories with visible credit:
- CVE-2026-22703 — sigstore/cosign — https://github.com/sigstore/cosign/security/advisories/GHSA-whqx-f9j3-ch6m
- CVE-2026-23831 — sigstore/rekor — https://github.com/sigstore/rekor/security/advisories/GHSA-273p-m2cw-6833
- CVE-2026-24117 — sigstore/rekor — https://github.com/sigstore/rekor/security/advisories/GHSA-4c4x-jm2x-pf9j
- CVE-2026-24137 — sigstore/sigstore — https://github.com/sigstore/sigstore/security/advisories/GHSA-fcv2-xgw5-pqxf
- CVE-2026-23991 — theupdateframework/go-tuf — https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-846p-jg2w-w324
- CVE-2026-23992 — theupdateframework/go-tuf — https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-fphv-w9fq-2525
- CVE-2026-24686 — theupdateframework/go-tuf — https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-jqc5-w2xx-5vq4
- CVE-2026-24845 — chainguard-dev/malcontent — https://github.com/chainguard-dev/malcontent/security/advisories/GHSA-9m43-p3cx-w8j5
- CVE-2026-24846 — chainguard-dev/malcontent — https://github.com/chainguard-dev/malcontent/security/advisories/GHSA-923j-vrcg-hxwh
security reporting: see SECURITY.md.