The WorkProof Schema is a specification, but it has direct security implications — particularly around the attestation format, consent gate model, and credential signing.
If you discover a security issue in the specification (e.g. an attack on the consent gate model, a flaw in the attestation verification flow, or a privacy leak in the schema design), please report it privately to:
Do not file public GitHub issues for security concerns.
- A clear description of the issue
- Steps to reproduce (or theoretical attack model)
- The version of the spec affected
- Your name and contact info (so we can credit you, if you'd like)
We aim to acknowledge reports within 5 business days and provide an initial assessment within 14 days.
In scope:
- Specification design flaws (consent gate bypass, attestation forgery, etc.)
- Privacy issues in the schema design
- Cryptographic weaknesses in the attestation format
Out of scope:
- Implementation bugs in third-party tools that implement WorkProof (report those to the implementation maintainers)
- TalentProof.ai platform-specific issues (report those to [email protected] with the platform mentioned)