Security
Security is a foundational concern for the SIROS ID platform. This section documents our security practices, transparency measures, and guidance for integrators conducting their own security assessments.
Security Principles
SIROS ID is designed with the following security principles:
- Zero-knowledge architecture — The platform operator cannot read user credentials or identify users
- Passkey-only authentication — No passwords; all user authentication via FIDO2/WebAuthn
- Hardware-backed keys — Cryptographic keys never leave the user's device (WSCD)
- Defense in depth — Multiple layers of protection at network, application, and data levels
- Supply chain transparency — Full visibility into dependencies via SBOMs
Topics in This Section
| Topic | Description |
|---|---|
| Security Architecture | Overview of security controls and boundaries |
| Software Bill of Materials | Download and verify SBOMs for all SIROS components |
| Vulnerability Disclosure | How to report security issues (see below) |
| Cryptographic Practices | Key management, algorithms, and protocols (coming soon) |
| Compliance | Alignment with eIDAS 2.0, NIS2, and other frameworks (coming soon) |
Reporting Security Issues
If you discover a security vulnerability, please report it responsibly:
- Email: [email protected]
Please do not disclose vulnerabilities publicly until we have had an opportunity to address them.
Security Assessments
Organizations integrating SIROS ID may need to conduct their own security assessments. We support this by providing:
- Architecture documentation in this section
- SBOMs for dependency analysis
- Source code — all core components are open source
- Test environments — available on request for penetration testing
Contact us at [email protected] to coordinate security testing activities.