Evidence

View as Markdown

A security framework should be judged on artifacts, not adjectives. Every LockWire repository ships its evidence with the source, so the claim and the code can be checked against each other:

  • Threat models — authored, versioned abuse-case matrices, updated with the code they describe. Read them before you trust us.
  • A self-audited SSDL — a secure software development lifecycle based on IEC 62443-4-1, targeting the technical requirements of IEC 62443-3-3 and -4-2 at Security Level 4. These are engineering baselines we self-assess against in the open — not third-party certifications, and we say so plainly.
  • Traceability — requirement-to-code-to-test records, kept by the same tooling (lockwire-ssdl) that gates every change.
  • FIPS posture — cryptography is routed exclusively through AWS-LC FIPS: no home-rolled primitives, no curve step-downs.
  • SBOMs — software bills of materials for every release.

This section explains the artifacts and links to them where they live — in the repositories — rather than forking them into a second copy that could drift. The artifacts go public with their repositories as each tier reaches release; their canonical homes are github.com/lockwire-org/lockwire, lockwire-sec, lockwire-ai, and lockwire-ssdl.