You're pledging to donate if the project hits its minimum goal and gets approved. If not, your funds will be returned.
proofbundle turns an AI-evaluation result into a portable, signed, Merkle-anchored, selectively-disclosable receipt anyone can verify offline — Ed25519 (RFC 8032), RFC 6962/9162 Merkle inclusion, optional SD-JWT (RFC 9901) selective disclosure, in-toto/DSSE export. MIT-licensed Python; the trusted core (signature / merkle / bundle) depends only on pyca/cryptography and rolls no crypto of its own. It attests authorship + integrity of a claimed result — not that the number is correct. This grant seeds an independent security audit of that core.
Goal: one independent, published security audit of proofbundle's trusted core, so third parties can rely on it as the signature + selective-disclosure layer for verifiable AI evals. How: (1) scope a bounded review with OSTIF — verification logic, bundle parsing/canonicalization (RFC 8785), SD-JWT checks, CI/build path, threat model; (2) run the audit; (3) remediate every confirmed finding with regression + mutation tests and publish the report. The core is deliberately tiny and standards-native, which makes it cheap to review and fast to harden.
Entirely toward the audit. At the $5,000 minimum: auditor scoping with OSTIF plus a first review pass of the trusted core and initial fixes. At the $12,000 goal: that plus broader review coverage (bundle parsing/canonicalization, SD-JWT, CI/build path) and remediation with regression + mutation tests. A parallel Foresight Secure AI Grant covers the full audit; OSTIF sources and manages the audit team. No overhead beyond the audit and maintainer remediation time.
Konrad Gruszka (b7n0de), sole maintainer. proofbundle ships a deliberately small, review-first trusted core with a mutation-gated test suite, parser fuzzing, CI, a documented security policy and formal spec (SECURITY.md + SPEC.md in the repo), and PEP 740 + SLSA build provenance on every release — built to be reviewed, not just used. It already verifies real Sigstore Rekor inclusion proofs and RFC 6962 conformance vectors offline. Repo: github.com/b7n0de/proofbundle
Most likely: the audit surfaces issues that cost more than the seed to fully remediate — mitigated because the core is small, the fixes are bounded, and the Foresight track covers the larger budget. Second: low adoption regardless of the audit — mitigated by parallel work on an in-toto eval-result predicate and inspect_ai visibility that give the receipt a home. Worst case, the funds still buy a public security review of an open-source tool — a net good even with limited uptake. Honest note: the project is young (public since July 2026), so this is early-stage funding.
$0 raised externally. The project has been entirely self-funded out of pocket — covering ongoing running costs (rented GPU compute, GitHub, AI tooling such as Anthropic, and my own hardware for local development) plus maintainer time. This is the first external funding request; a Foresight Secure AI Grant application is in preparation in parallel, and OSTIF has been contacted to scope/manage the audit.
There are no bids on this project.