Trust-surface labeling corrections — AI-assisted review, SOC 2 readiness, and audit-log claim
SigmaShake corrected mislabeled trust-surface claims: an AI-assisted internal security review was labeled as a penetration test, SOC 2 readiness status was presented ambiguously, and a Merkle-chain claim was applied to the governance audit log which actually uses per-row Ed25519 signatures. No vulnerability, no system compromise, no customer action required.
| Advisory | SSA-2026-0001 |
|---|---|
| Severity | Informational |
| Published | June 11, 2026 |
| Affected | trust.sigmashake.com, security.sigmashake.com, compliance.sigmashake.com |
On 2026-06-09/10, SigmaShake corrected three labeling errors on its public-facing trust and security surfaces. No vulnerability exists; this advisory is a transparency notice.
**1. AI-assisted security review mislabeled as a penetration test.**
The trust portal (trust.sigmashake.com) and the compliance.json well-known document listed an AI-assisted internal security review under the key 'penetration_test_report' with a label that did not reflect the actual methodology. The corrected label is: 'AI-assisted security review (not a third-party penetration test)'. No third-party human penetration test has been conducted.
**2. SOC 2 readiness presented ambiguously.**
Multiple surfaces did not clearly distinguish between a readiness assessment (observation in progress) and a completed independent CPA audit (not yet commenced). The corrected statement on all surfaces is: 'SOC 2 Type II readiness — observation window 2026-05-18 to 2026-11-17; independent CPA audit not yet engaged.'
**3. Merkle-chain claim applied to governance audit log.**
Documentation and labeling described the sigmashake-gov governance audit log as Merkle-chained. The actual implementation uses per-row key-conditional Ed25519 signatures, not a Merkle chain. The Merkle chain is correctly implemented in the compliance evidence pipeline (sigmashake-compliance manifest roots, cross-anchored to the sigmashake-hub transparency log). The governance audit log label has been corrected to 'per-row Ed25519 signed'.
All three corrections follow the append-only evidence discipline: old records are not deleted or relabeled; a new record supersedes each. No credentials were exposed. No customer data was affected.
Stay ahead of the next one
Subscribe to be notified directly the moment SigmaShake discloses a security issue.