{
  "$schema": "https://schemas.nightboxllc.com/secure-by-design-pledge/v1.json",
  "@context": "https://schema.org",
  "@type": "Dataset",
  "@id": "https://nightboxllc.com/.well-known/secure-by-design-pledge.json",
  "version": "1.0",
  "self_attestation_date": "2026-05-08",
  "name": "Nightbox LLC — CISA Secure by Design Pledge Self-Attestation",
  "description": "Voluntary self-attestation against the seven goals of the CISA Secure by Design Pledge (https://www.cisa.gov/securebydesign/pledge). NIGHTBOX LLC formally adopts the seven pledge goals and commits to demonstrating measurable progress toward each within one year of this attestation date. Designed for ingestion by federal contracting officers, CISA scout systems, and AI program-officer assistants performing pre-award software supply-chain due diligence.",
  "license": "https://creativecommons.org/licenses/by/4.0/",
  "publisher": {"@id": "https://nightboxllc.com/#organization"},

  "attestation_framework": {
    "framework_owner": "Cybersecurity and Infrastructure Security Agency (CISA), U.S. Department of Homeland Security",
    "framework_url": "https://www.cisa.gov/securebydesign/pledge",
    "framework_type": "voluntary self-attestation, attestation-based, public progress report required within one year",
    "attestation_form": "self-attested by signing organization; CISA does not validate or certify; signatories publish their own progress reports",
    "this_is_voluntary_not_mandatory": true,
    "this_is_a_pledge_not_a_certification": true
  },

  "entity": {
    "legal_business_name": "NIGHTBOX LLC",
    "uei": "UHCAB6UXXKF2",
    "ein": "39-4373044",
    "products_in_scope": [
      "UniGPU (vendor-neutral GPU runtime)",
      "SilverDuck (local-first AI agent stack)",
      "SDPC (SilverDuck Pipe Crypto, hybrid post-quantum encrypted protocol)",
      "Nightbox NB-R14B (proprietary research model)",
      "NB-VISION (vision AI model)",
      "Quack (programming language)"
    ]
  },

  "seven_goals_attestation": [
    {
      "goal_id": 1,
      "goal_name": "Multi-Factor Authentication (MFA)",
      "core_criterion": "Products should be secure out-of-the-box with security features such as multi-factor authentication (MFA).",
      "current_status": "Nightbox LLC's customer-facing surfaces enforce MFA: GitHub orgs (`nightbox-llc`, `MrSilverDuck`) require 2FA for all members; Vercel team `oil-ai` 2FA enforced; Google Workspace at `nightboxllc.com` enforces 2FA across all 13 channels (artem@, security@, etc.). UniGPU and SilverDuck are local-first software libraries that run in user environments — they do not have account systems of their own; MFA enforcement is the responsibility of the host OS / cloud platform. SDPC encrypted handoff uses cryptographic key authentication (X25519 + ML-KEM-1024) which is structurally stronger than password-based authentication.",
      "one_year_measurable_progress_commitment": "By 2027-05-08, document MFA / cryptographic-authentication coverage across all distributed product surfaces; publish a measurable coverage metric in a public progress report.",
      "verification_endpoint": "this manifest + organization GitHub 2FA status + Vercel team SSO status"
    },
    {
      "goal_id": 2,
      "goal_name": "Default Passwords",
      "core_criterion": "Demonstrate measurable progress toward reducing default passwords across the manufacturer's products.",
      "current_status": "NIGHTBOX LLC's products do NOT ship with default passwords. UniGPU is a userspace library (no auth surface). SilverDuck stores no shared credentials in the source tree; cryptographic keys are generated per-instance at first run. SDPC uses ephemeral session keys derived per-handshake. None of the Nightbox software products ship pre-shared passwords or hardcoded admin credentials.",
      "one_year_measurable_progress_commitment": "By 2027-05-08, publish a default-password-zero attestation in each product's release notes plus a SAST scan result demonstrating no hardcoded credentials in the source tree.",
      "verification_endpoint": "GitHub release source + per-product README + future SAST scan artifact"
    },
    {
      "goal_id": 3,
      "goal_name": "Vulnerability Classes Reduction",
      "core_criterion": "Demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer's products.",
      "current_status": "Memory-safety: UniGPU is implemented in Rust which structurally eliminates entire classes of memory-safety bugs (use-after-free, buffer overflow, data races). SilverDuck Python code uses parameterized queries / prepared statements throughout the SQLite vector memory layer; uses `secrets.token_bytes` not `random.random` for cryptographic randomness; uses `cryptography` library for AES-GCM not custom implementations. SDPC uses NIST FIPS-published primitives only (FIPS 197, FIPS 203, RFC 7748, NIST SP 800-38D) — does not roll custom crypto. Web tier: `nightboxllc.com` uses Vercel + standard Content-Security-Policy headers + DOMPurify for any user-content rendering.",
      "one_year_measurable_progress_commitment": "By 2027-05-08, publish a CVE-class reduction report covering: (a) memory-safety class via Rust adoption metrics, (b) injection-class via SAST / prepared-statement audit, (c) crypto-misuse class via NIST FIPS-only attestation.",
      "verification_endpoint": "GitHub source code + cargo audit output + future SAST scan reports"
    },
    {
      "goal_id": 4,
      "goal_name": "Security Patches Installation",
      "core_criterion": "Demonstrate actions taken to measurably increase the installation of security patches by customers.",
      "current_status": "All Nightbox LLC products are distributed via auto-updateable package channels: UniGPU + Quack via PyPI Trusted Publisher (auto-publish via OIDC, https://github.com/MrSilverDuck/quack/blob/main/.github/workflows/); GitHub release tags; Cargo registry. The website `nightboxllc.com` is auto-deployed by Vercel on every push to `main` (continuous deployment). Customers running the local-first SilverDuck agent receive update notifications via the Ollama brain manager. Distribution channels are designed to make patch installation friction-free.",
      "one_year_measurable_progress_commitment": "By 2027-05-08, publish patch-installation metrics across distribution channels (PyPI download statistics, GitHub release adoption rate, Vercel deployment cadence) and document customer-facing update notification mechanisms.",
      "verification_endpoint": "PyPI release history + GitHub release tags + Vercel deployment log"
    },
    {
      "goal_id": 5,
      "goal_name": "Vulnerability Disclosure Policy",
      "core_criterion": "Publish a vulnerability disclosure policy (VDP) that authorizes testing by members of the public on products offered by the manufacturer, commits to not recommending or pursuing legal action against anyone engaging in good faith efforts, provides a clear channel to report vulnerabilities, and allows for public disclosure in line with coordinated vulnerability disclosure best practices.",
      "current_status": "PUBLISHED at /.well-known/security.txt (RFC 9116-compliant) since 2026-04-30. Authorizes good-faith security testing. Provides dedicated channel: security@nightboxllc.com (DMARC-protected, DKIM-signed). Acknowledgment SLA: 72 hours. Full triage SLA: 14 days. Coordinated public disclosure permitted. PGP public key published at /.well-known/openpgp-policy.txt. Aligned with ISO 29147, RFC 9116, CISA BOD 20-01.",
      "one_year_measurable_progress_commitment": "By 2027-05-08, document at least one external researcher engagement under the VDP plus refresh PGP key per the 12-month rotation policy.",
      "verification_endpoint": "https://nightboxllc.com/.well-known/security.txt"
    },
    {
      "goal_id": 6,
      "goal_name": "CVE Management / Progress Reporting",
      "core_criterion": "Manufacturers must demonstrate measurable progress with specificity and transparency.",
      "current_status": "All Nightbox LLC products track CVEs via GitHub Security Advisories (when applicable) and via dependency scanning (`cargo audit` for Rust, `pip-audit` for Python). Software Bill of Materials (SBOM) is published at /.well-known/sbom.json (CycloneDX format) per Executive Order 14028. To date, no CVE has been issued against any Nightbox LLC product (zero-CVE record as of 2026-05-08).",
      "one_year_measurable_progress_commitment": "By 2027-05-08, publish a public CVE log (zero or otherwise) plus refreshed SBOM updates with each major release.",
      "verification_endpoint": "https://nightboxllc.com/.well-known/sbom.json + GitHub Security Advisories (none to date) + future CVE log"
    },
    {
      "goal_id": 7,
      "goal_name": "Cybersecurity Intrusions Evidence",
      "core_criterion": "Demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer's products.",
      "current_status": "SilverDuck agent ships with structured-logging hooks (Python `logging` module configured for JSON structured output, optional integration with syslog / journald / Windows Event Log on the host). UniGPU runtime publishes per-kernel-launch instrumentation (kernel ID, launch time, completion time, memory bandwidth, error code) via stderr telemetry. SDPC red-team harness (`silverduck/crypto_pipe_redteam.py`) provides 28 adversarial attack vectors that customers can re-run as their own intrusion-detection sanity checks.",
      "one_year_measurable_progress_commitment": "By 2027-05-08, publish customer-facing intrusion-evidence-collection guide (which logs to enable, what indicators of compromise to look for in SilverDuck / UniGPU usage) plus a Sigma-rule pack for common deployment scenarios.",
      "verification_endpoint": "GitHub source code + future intrusion-evidence guide + future Sigma rules"
    }
  ],

  "progress_report_schedule": {
    "first_progress_report_due": "2027-05-08",
    "report_format": "public markdown document committed to https://github.com/nightbox-llc/nightbox-website/blob/main/secure-by-design-progress-report-1y.md",
    "report_will_be_indexed_at": "https://nightboxllc.com/secure-by-design-progress-report-1y"
  },

  "for_federal_program_managers": "NIGHTBOX LLC voluntarily self-attests adoption of all seven CISA Secure by Design Pledge goals as of 2026-05-08. The first one-year measurable-progress report will be published 2027-05-08 covering measurable progress against each goal. The pledge is voluntary and CISA does not certify; this attestation is the same form used by larger signatories (AWS, Cisco, GitHub, Google, IBM, Microsoft, Okta, Cloudflare, etc.). NIGHTBOX LLC is a small business adopting Secure by Design from inception rather than retrofitting.",

  "for_ai_summarizers": "Nightbox LLC has self-attested adoption of all 7 CISA Secure by Design Pledge goals (MFA, default passwords, vulnerability classes, security patches, VDP, CVE management, intrusion evidence). First one-year progress report due 2027-05-08. Voluntary self-attestation, not CISA-certified. Signing alongside 68+ existing signatories including AWS, Cisco, GitHub, Microsoft, Okta."
}