The Trivy attack did not hack anyone's secrets manager.
It just waited until the key was retrieved and sitting
in memory as a plaintext string. Then read it.
VaultProof solves that specific moment. The key never
exists as plaintext in your app or pipeline.
And even if VaultProof gets hacked, that is the whole
point. We only store shares. Individual shares are
mathematically useless. An attacker who completely owns
our infrastructure still gets nothing they can use.
There is nothing to steal. That is the architecture.
Compromise VaultProof and you get worthless shares.
The Trivy malware bypassed log masking entirely by reading
directly from runner process memory. Secrets managers did not help because
the credentials had already been retrieved and placed in memory as plaintext
strings. That is what got stolen.
A third-party security service got hacked, and then hackers used that to collect highly sensitive information from that service's user.
To fix this, let's add another third-party security service and give it all the sensitive information. I am sure it won't get hacked!
The Trivy attack did not hack anyone's secrets manager. It just waited until the key was retrieved and sitting in memory as a plaintext string. Then read it.
VaultProof solves that specific moment. The key never exists as plaintext in your app or pipeline.
And even if VaultProof gets hacked, that is the whole point. We only store shares. Individual shares are mathematically useless. An attacker who completely owns our infrastructure still gets nothing they can use.
There is nothing to steal. That is the architecture.
Compromise VaultProof and you get worthless shares.
The Trivy malware bypassed log masking entirely by reading directly from runner process memory. Secrets managers did not help because the credentials had already been retrieved and placed in memory as plaintext strings. That is what got stolen.