Public attestation

Training-data declaration

Last reviewed: 2026-05-17 · Predicate type: https://securie.com/attestation/training-data/v1

Declaration (current state)

Securie does not currently train, fine-tune, distill, or otherwise adapt any machine-learning model on customer code — not by default, not on any tier, not under any add-on at the time of the most-recent revision below. This is a current-state declaration; see the quarterly-review + scope-clarification sections at the foot of this page. Specifically:

  • Stock-weight OSS models only. Securie serves stock-weight models exactly as published — Foundation-Sec-8B local, GLM-5.1, Hermes 4 405B, Gemini Flash-Lite, Claude Sonnet 4.6. Zero fine-tuned adapters in production; the inference router has no adapter layer. See /legal/model-card for the per-model card.
  • No training corpus exists. The fine-tuning / LoRA / signal-capture infrastructure — including the former opt-in training-corpus store — was removed entirely. There is no per-customer adapter, no shared federated model, and no Training Addendum opt-in. See the Privacy Policy DPA §4 for the current-state no-training declaration.
  • Public corpora only for benchmarking. Reference + held-out corpora used for public-bench (OWASP, CWE-Top-25, CVE replay, HackerOne disclosures) are all publicly sourced. None are scraped from customer repositories or PRs.
  • Customer code stays in-tenant. Customer source is processed at scan time inside the per-tenant RLS perimeter and is never persisted into any cross-tenant dataset, model, or weight.

Verification

The full signed predicate (when published) follows the in-toto v1 statement shape used elsewhere in Securie's attestation chain. Predicate body fields:

{
  "_type": "https://in-toto.io/Statement/v1",
  "subject": [{ "name": "securie/production", "digest": { "sha256": "<commit>" } }],
  "predicateType": "https://securie.com/attestation/training-data/v1",
  "predicate": {
    "trains_on_customer_code": false,
    "fine_tuned_adapters_in_prod": 0,
    "stock_models_in_prod": 5,
    "public_corpora": ["OWASP-Benchmark", "CWE-Top-25", "HackerOne-public", "CVE-replay"]
  }
}

The agent-side path emits this predicate via AttestationSigningKey::sign (Ed25519) — same chain as the per-finding + per-SBOM attestations. Verification: download the envelope from the auditor portal evidence bundle, decode the DSSE payload, and verify against the published key at /.well-known/securie-attestation-public-key.

What counts as “training”

Per R-DERISK-ENTRYSTAGE Wave 1 / Phase 11 scope-clarification (2026-05-25): “training” in this declaration means adjusting model weights. The following mechanisms are in-context augmentations that do NOT modify model weights and are therefore out of scope of this declaration:

  • Specialist few-shot packs (prompt examples loaded at request time)
  • prompt-registry entries
  • Cascade-adjudicator priors
  • RAG-embedding lookups (vector retrieval over the tenant-scoped Ring 0 KB)

These mechanisms read customer code at scan time within the per-tenant RLS perimeter. The declaration on this page covers weight-modifying training only.

Change log + review

  • 2026-05-25 — Per R-DERISK-ENTRYSTAGE Wave 1 / Phase 11: declaration reframed from an absolute ("no training on customer code, ever") to a current-state declaration. Quarterly review committed below. Scope clarification added: in-context augmentations do not modify weights and are out of scope.
  • 2026-05-17 — Fine-tuning / LoRA / signal-capture infrastructure removed entirely. The opt-in training-corpus store and the Training Addendum were retired.
  • 2026-05-14 — Initial declaration.

Quarterly review. This declaration is reviewed each calendar quarter and may be revised if Securie's model architecture changes. Changes require a PR + reviewer sign-off per Securie's standard ADR process; the published predicate is re-signed on every change.