PGP Public Key.
Use this key to encrypt sensitive vulnerability reports or incident details before sending to [email protected]. Verify the fingerprint before trusting the key. If in doubt, confirm via a separate channel.
Always confirm the fingerprint shown above matches the key you have imported before encrypting anything sensitive. Verify out-of-band if you have any doubt: email [email protected] from a separate channel and ask for fingerprint confirmation.
ASCII-armoured public key
Copy the block below in its entirety, including the BEGIN and END lines, and import it into your keyring before encrypting a message.
-----BEGIN PGP PUBLIC KEY BLOCK----- [PASTE YOUR ASCII-ARMOURED PUBLIC KEY HERE] Replace this placeholder with your actual key block. Generate with: gpg --armor --export [email protected] Or with age/sq-keyring-linter for modern key hygiene. -----END PGP PUBLIC KEY BLOCK-----
The key is also available as a plain-text file at /pgp-key.txt. Use this URL if you are importing directly via GPG or an automated tool. A detached signature will be published at /pgp-key.txt.asc once available.
How to encrypt a report using GnuPG
Three steps. Import the key, verify the fingerprint, encrypt your message. GnuPG is available on Linux, macOS, and Windows (GPG4Win).
# Download and import the public key curl https://defendvista.com/pgp-key.txt | gpg --import # Or import from a local file gpg --import defendvista-publickey.asc
# List the imported key and check the fingerprint gpg --fingerprint [email protected] # The fingerprint displayed MUST match the one shown # on this page before you trust and use the key.
# Encrypt a text file to DefendVista Security gpg --encrypt --armor \ --recipient "[email protected]" \ report.txt # This produces report.txt.asc # Attach that file to your email to [email protected]
Include only the minimum data required to demonstrate impact. Do not attach production logs or datasets containing personal data unless strictly necessary to describe the vulnerability. Sanitise log extracts where possible before sending.
What to include in an encrypted report
A complete report lets us triage and act faster. Include as many of these as are relevant to the finding:
- Affected URL or system: the exact endpoint, page, or component
- Description: what the vulnerability is and what an attacker could do with it
- Steps to reproduce: a numbered sequence a second person could follow to confirm the finding
- Impact assessment: what data or access is exposed, and under what conditions
- Sanitised evidence: screenshots, logs, or request/response pairs with personal data removed
- Your contact preference: anonymous, named, or a handle you are comfortable with
Add URGENT to your subject line if the vulnerability is being actively exploited or the exposure window is very short.
Keyservers and chain of trust
Where available, the DefendVista Security key will be published to keys.openpgp.org. That keyserver validates email ownership before publishing a key's UID, which reduces the risk of uploading a key claiming a UID you do not control.
The canonical source for the DefendVista public key is this page and defendvista.com/pgp-key.txt. Do not rely on unsigned keys from third-party keyservers without fingerprint verification against the value published here.
The machine-readable security policy at /.well-known/security.txt references this key. If the fingerprint in security.txt does not match this page, report that discrepancy to [email protected] immediately.