PGP Key — security@blueberry.bg
Public PGP key for encrypting reports to the Blueberry PSIRT.
PGP Key — security@blueberry.bg
The Blueberry PSIRT uses a single role-based OpenPGP key for the mailbox
security@blueberry.bg. Use this key when sending sensitive material
(exploits, customer data, embargoed details).
Current key
| Field | Value |
|---|---|
| UID | Blueberry Software Security Team <security@blueberry.bg> |
| Fingerprint | PLACEHOLDER — to be filled in after PSIRT key generation |
| Algorithm | Ed25519 (primary) + Curve25519 (encryption subkey) |
| Valid until | 2 years from generation; subkey 1 year |
| Where to fetch | /.well-known/security-pgp.asc on this site; also on keys.openpgp.org; also via WKS at security@blueberry.bg |
Note: until the PSIRT PGP key is generated, the placeholder fingerprint above is not a valid key. Do not import or trust it.
Verify out-of-band
Before adding our key to your trust ring, please verify the fingerprint through a second channel:
- Web Key Directory —
gpg --auto-key-locate clear,wkd,nodefault --locate-keys security@blueberry.bg. The fingerprint returned must match the value above. - keys.openpgp.org — search for
security@blueberry.bg; compare fingerprints. - Voice — call any phone number listed in the corporate contact pages and ask to be read the fingerprint by the PSIRT lead.
If any two of these agree, the fingerprint is trustworthy.
Rotation
The PSIRT primary key rotates every 2 years; the encryption subkey rotates every 1 year. During the overlap window, both old and new keys are valid and either may be used to encrypt reports to us.
Older keys
When keys are rotated, the previous public keys remain accessible at:
/.well-known/security-pgp-archive/<fingerprint>.asc
Old keys remain valid for decryption of historical reports until destroyed per retention policy (7 years after rotation).