Security research on Knox — scope, rules, safe harbor.
Knox is audit-permanence infrastructure. A finding that Knox records can be forged, verification can be bypassed, or the formal spec is unsound is important — and Bonis Systems responds on a documented SLA. This page is the coordinated-disclosure contract. Research within scope is authorized; findings are credited and fixed; publication follows embargo until a fix ships.
Live operational posture
No claims — only counts. Every line below is a verifiable artifact, not a marketing assertion. Re-check any of them in your terminal.
DiGiVPS-IN + SnTHostings-IN credential-harvesting bots identified during the 2026-04-24 sweep — blocked at middleware, never reach app code, never query DB. Operator allowlist exempts authorized admin traffic.
src/middleware.ts §0a-0b · revision terravault-00366-2jw+ML-DSA 44/65/87 + SLH-DSA sha2-128s/192s/256s (FIPS 204+205 signatures). ML-KEM 512/768/1024 (FIPS 203 key encapsulation). Hybrid-by-default; classical RSA/ECDSA/Ed25519 retained.
/api/knox/agents/crypto-signature · /api/knox/agents/crypto-kemCloud Scheduler jobs at :00 (knox-anchor), :15 (knox-monitor), :30 (core-events-checkpoint), :45 (knox-continuous-monitoring) — all every hour, every day, since revision 00200-class.
gcloud scheduler jobs list --location=us-central1deploy.sh signs a build record into Knox before Cloud Run flips traffic to the new revision. The image you're hitting was anchored to Bitcoin via OpenTimestamps before it served its first request.
deploy.sh §[+] Anchoring build into KnoxVerify-yourself one-liners
# Anchor cadence (Cloud Scheduler) — public, no auth needed: curl -sS https://bonissystems.com/api/knox/health | jq # Post-quantum signature capability descriptor: curl -sS https://bonissystems.com/api/knox/agents/crypto-signature | jq .pqc_algorithms # Post-quantum KEM capability descriptor (Layer 10): curl -sS https://bonissystems.com/api/knox/agents/crypto-kem | jq .supported_algorithms # Edge-defense headers — should include x-knox-shield: curl -sI https://terravaulthq.com/
Article V.8 — Knox watches Knox. The platform anchors its own operational state to itself, then to Bitcoin. The numbers above are produced by the system the page describes; the verifier is the same one published at /legal-kit/bonis-verify.mjs.
Reporting channel
Email — and anchor your report to Knox before you send it
Send a coordinated-disclosure report to [email protected] with subject line [Knox Security] <short summary>. Include:
- Clear description of the finding and its category (forgery / bypass / spec-unsoundness / info-disclosure / other).
- Steps to reproduce — shell commands, curl calls, or a minimal script.
- The artifact that makes the finding concrete (a Knox anchor ID, a SHA-256, a payload, a spec state trace, a zero-dep-verifier transcript).
- Your preferred attribution name and contact for coordinated-disclosure follow-up.
Recommended — anchor your report to Knox before sending
Before emailing Bonis Systems, compute the SHA-256 of your report file and anchor it. This gives you a Bitcoin-backed timestamp of the report you are about to send, that cannot be disputed later by either side. Anchoring requires a Knox Bearer key — provision one by signing up at /bonis (free tier covers 10,000 anchors / month after email verification). Then:
# 1. Hash your report (any file type)
HASH=$(shasum -a 256 knox-finding-report.pdf | awk '{print $1}')
# 2. Anchor the hash — Bearer key required (export KNOX_KEY first)
curl -sS -X POST https://bonissystems.com/api/knox/public-anchor \
-H "Authorization: Bearer $KNOX_KEY" \
-H "Content-Type: application/json" \
-d "{\"hash\":\"$HASH\",\"filename\":\"knox-finding-report.pdf\",\
\"sizeBytes\":$(stat -f%z knox-finding-report.pdf),\
\"mimeType\":\"application/pdf\"}"
# 3. The response returns {anchor: {anchorHash, sequence, verifyUrl, ...}, affidavit}
# Include that anchor in your email so both parties have a public
# timestamp of when the finding was reported.Why: the same permanence primitive that makes Knox worth reporting bugs against also makes the reporting itself tamper-evident. Neither party can later dispute when the finding arrived or what it contained.
Severity + response SLA
| Severity | Example | Triage | Acknowledgement |
|---|---|---|---|
| Critical | Any finding that produces a valid Knox anchor without going through the documented canonicalizer — i.e. a forgery. Also: any private-key or signing-material exposure. | 4 hours | 24 hours — pre-publication embargo until fix ships and retest confirms |
| High | A valid Knox record that fails verification by the zero-dep verifier. Successful hash-chain rewrite. OpenAPI schema drift that causes auth bypass. | 1 business day | 7 days |
| Medium | Information disclosure in error responses. Rate-limit enforcement gap on authenticated endpoints. TLA+ invariant that passes model-check but fails an edge case the spec did not model. | 3 business days | 14 days |
| Low | Documentation contradictions, missing HTTP security header, minor enumeration, hardening opportunities. | 5 business days | 30 days |
Scope
- Knox public API
Every endpoint documented in /api/knox/openapi — public-anchor, verify, attest, multi-chain, sbom/illuminate, supply-chain/trace, exclusions/check, health.
- Zero-dep verifier script
/legal-kit/bonis-verify.mjs. Any finding that causes the script to accept a record that has been tampered, or reject a record that is valid.
- TLA+ formal specification
/spec/knox_anchor_chain.tla and /spec/core_event_store.tla. Findings include: a state reachable by the system that is not modeled by the spec, or an invariant that holds in TLC but not in the implementation.
- Air-gap Docker bundle
/legal-kit/bonis-airgap-docker-bundle.zip. Findings include: the bundle's offline verifier accepts a forged record, or the bundled OFAC/FAR snapshots are inconsistent with their published source.
- Multi-chain routing and OpenTimestamps integration
Findings where a Merkle root Knox claims was fanned out to a surface was not actually committed there.
- Charter + governance surface
Findings where an agent run violates its charter as published in /bonis/agents without being flagged by the Knox-watches-Knox meta-layer.
- Denial-of-service attempts. Rate-limiting is documented and intentionally conservative; probing it is noise, not signal.
- Social engineering of Bonis Systems personnel, partners, or vendors.
- Findings that rely on having stolen an existing API key — report the key-theft incident, not the anchor made with the stolen key.
- Physical attacks on Bonis Systems infrastructure (there is no physical infrastructure; the entire surface is Google Cloud Run).
- Third-party services Bonis integrates with but does not operate (OpenTimestamps calendar servers, Bitcoin miners, Resend, Cloudinary, Anthropic API, Google Cloud platform). Report those upstream.
- Theoretical attacks on SHA-256 itself. If SHA-256 breaks, so does every mainstream system in deployment; out of scope here.
Safe harbor for authorized research
Research conducted in good faith against the in-scope targets above is authorized by Bonis Systems LLC and shall not be the basis for legal action. Good faith means:
- You do not exfiltrate data beyond what is strictly necessary to prove the finding.
- You do not disclose findings publicly before coordinated-disclosure embargo ends (see SLA above).
- You do not test against actual customer data you know to be in production — synthetic inputs only.
- You do not demand payment in exchange for withholding a finding; this is not a paid bounty, it is a responsible-disclosure program.
- You operate within the applicable laws of your jurisdiction and ours (Wyoming, United States).
This language is a policy commitment, not a contract of adhesion, and is not intended to waive any rights beyond the in-scope testing activities above. If in doubt about whether a specific probe is authorized, email first and ask.
Hall of fame
No validated findings have been reported against the in-scope targets to date. When the first valid finding is reported, resolved, and retested, this section will publish — with the reporter's credit — the finding summary, the Knox anchor of the original report, the Knox anchor of the fix commit, and the retest transcript. Every entry will itself be Knox-anchored.
The absence of entries below this paragraph is a statement Bonis Systems expects to have to revise. It is published as-is per the Truth Protocol: claiming a populated hall of fame without entries would be a fabrication, and silence until the first entry is what the Smartest People Standard requires.
Why you cannot forge a Knox record — walk the tamper checks
The verifier runs four cryptographic checks. This section walks each attempt to forge a record and shows which check rejects it. This is a computational demonstration, not a policy statement — the math is in the published TLA+ spec at /bonis/spec and in /legal-kit/bonis-verify.mjs.
Alter any byte in the event's payload (filename, size, MIME type, file hash). Re-submit the same declared hash.
The verifier recomputes the canonical hash from the payload using the documented canonicalizer (see bonis-verify.mjs:hashKnoxEvent). The recomputed hash does not match the declared hash. [FAIL] — payload has been altered.
Submit a valid canonicalized payload but with an arbitrary declared hash.
Same check as Step 1 in reverse: the declared hash is checked against the recomputed hash, not accepted as-is. [FAIL] — declared hash does not match recomputed.
Change the prev_hash field to point to a different predecessor, attempting to rewrite chain history.
The chain-continuity check requires prev_hash to be a 64-hex SHA-256 of the actual prior record in the Merkle tree. The server-side canonicalizer produces a different leaf hash when prev_hash changes — breaking the Merkle inclusion proof at Step 4.
Construct a proof chain of sibling hashes that claims the event is included in a different Merkle root.
The verifier walks the proof from leaf to root using only the stdlib SHA-256 pair-hash. The final computed root is compared byte-for-byte against the declared Merkle root. Unless you can produce a SHA-256 collision on 32-byte inputs, the Merkle math rejects the forged proof. [FAIL] — event is not included in the declared Merkle root.
Produce an OpenTimestamps proof showing the Merkle root was committed to a Bitcoin block earlier than it actually was.
The OTS client walks from the Merkle root through calendar-server commitments to the actual Bitcoin block header. Bitcoin block headers cannot be retroactively generated without re-mining the chain from the backdated block forward — an energy cost that exceeds every coordinated state actor's annual budget. [FAIL] — backdating Bitcoin is not within the defensive model of any party Knox is defending against.
What this does NOT prove
This walkthrough shows the tamper-evidence primitives are sound, given that SHA-256 is collision-resistant and Bitcoin's header chain cannot be retroactively rewritten by an adversary with less than a majority of global hashpower. It does not prove:
- That every record the system has ever issued was correctly anchored — that requires independent log review, which the published TLA+ spec and zero-dep verifier enable.
- That every Knox agent's operational decisions are well-formed — that is the purpose of the Knox-watches-Knox dogfooding layer documented at /bonis/knox-watches-knox.
- That the evidentiary envelope (signers, geo, oracles) is truthful — Knox anchors what was presented to it. Falsity in the submitted envelope is an application-layer concern; Knox's role is permanence of the record, not truth of the content.
Findings in any of the three categories above are in scope and valued. The point of this page is to make the contract explicit.
Related
Operator: Bonis Systems LLC · UEI R2BPJDC5CBA3 · CAGE 1TSP2 · USPTO provisional 64/038,359 (inventor: Jonis Aaron Fields) · Contact: [email protected] · +1 (210) 452-3767.