Skip to content
ArkNet logoArkNet
Security-first architecture

Trust, verified.

ArkNet is designed so you don’t have to trust the hardware provider — you verify the execution. Proofs, isolation, and signed releases make distributed compute measurable and auditable.

Read security model Download public key
Proof verified
STARK/receipt
Runtime boundary
Sandbox
Release integrity
Signed + logged

Runtime Isolation

Kernels execute inside a strict sandbox with explicit memory boundaries and constrained syscalls.

  • Per-workload memory isolation
  • Deterministic runtime surface
  • Host contamination resistance

Verifiable Compute

Workloads emit succinct receipts; validators verify outputs match the input code and declared resources.

  • Proof/receipt for execution
  • Replayable inputs + outputs
  • Auditable job lineage

Supply Chain

Artifacts are reproducible and signed; provenance is logged to transparency systems for independent verification.

  • Signed releases + checksums
  • Reproducible builds
  • Transparency logging

Verify releases before you run them

Every ArkNet release ships with signatures and checksums. Import the ArkNet public key, then verify the signature file shipped alongside the artifact.

Public key

Use this key to verify release signatures.

Key ID
0xARKNET_SEC_4921
Fingerprint
93A2 1C4B … 4921
Signature verification
Prevents tampered downloads.
Provenance + logging
Supports independent audits.
Go to downloads Release notes

Operational guidance

  • Verify signatures in CI for all deployments.
  • Pin provider hashes only when deterministic hardware is required.
  • Prefer verified execution receipts for high-stakes workflows.
bash
$ gpg --import arknet.asc
gpg: key 0xARKNET…: public key "ArkNet Security" imported
$ sha256sum ark-v0.4.1.tar.gz
2d0f…c9a1 ark-v0.4.1.tar.gz
$ gpg --verify ark-v0.4.1.tar.gz.asc
gpg: Good signature from "ArkNet Security <security@arknet.io>"

Threat model snapshot

A practical view of what ArkNet defends against, and how the system reduces trust assumptions.

Full threat model

Malicious provider

A provider tries to return incorrect outputs or manipulate execution.

Mitigations
  • Proof/receipt verification rejects invalid outputs
  • Deterministic inputs + declared resources
  • Audit trail for disputes

Supply chain tampering

A binary or artifact is modified in transit or replaced upstream.

Mitigations
  • Signed releases + checksums
  • Reproducible build verification
  • Transparency logging for provenance

Sandbox escape attempts

A workload attempts to access host resources or break isolation.

Mitigations
  • Constrained syscall surface
  • Memory isolation and runtime boundary
  • Continuous fuzzing and hardening

API abuse

Credential stuffing, rate bypass, or abusive dispatch patterns.

Mitigations
  • Token scoping + quotas
  • Rate limiting and anomaly detection
  • Audit logs for forensic review

Bug bounty program

Security is continuous. If you discover a vulnerability in the protocol, compiler, runtime, or provider daemon, report it responsibly.

Critical$50,000+

RCE, key exfiltration, consensus break

High$10,000+

DoS, sandbox escape, auth bypass

Medium$2,500+

API abuse, information leakage

Report a vulnerabilityDisclosure policy

Please include reproduction steps, impact assessment, and affected versions.