Contact and Key Verification

Email is the best way to reach me at [email protected]. If the message is sensitive, please use encrypted email. Signal is available as a secondary encrypted channel. This page covers how I prefer to be contacted, how to verify my key and what helps me reply efficiently.

Email - Preferred Contact

[email protected]

Use this for general contact, technical discussion and anything that benefits from a durable written record. If the message is sensitive, encrypted email is highly preferred.

Secondary

Signal (steadytao.01)

Use Signal if the conversation is more conversational. Please note it is a secondary channel I do not check as regularly.

Verify first, then encrypt

C0E1 0545 0570 4F75 7D92 5AB2 6A64 E8AA 2EFB CF5D

Always verify this fingerprint before sending sensitive material.

If you want an encrypted reply, include your public key with the message or make sure it is directly discoverable from your address.

Match the channel to the message

Email

Use email for most contact, technical discussion, longer messages, attachments and anything that benefits from a durable record.

Encrypted email

Use OpenPGP when the message is private, sensitive or disclosure-related.

Signal

Use Signal when the exchange is more immediate or conversational and email would be unnecessarily heavy.

How to contact me

Clear subject lines and concise context help. Encrypted email is welcome when appropriate. I may not reply immediately, especially to vague outreach. For project-specific matters, include the relevant links or context up front.

For security issues in a specific project, please use that repository’s official security policy or disclosure contact first. Do not contact me directly about another project’s security issue unless the project has no published security policy or disclosure contact, the published contact is unreachable or clearly inappropriate for the issue or there is reasonable concern that using the official route could put people at risk such as suspected maintainer-account compromise, malicious contributor activity, supply-chain compromise or an xz-style social or trust attack. If you do contact me, include only the minimum information needed to understand the concern and establish a safer reporting path. Do not send exploit details, private user data, credentials, malware samples or pre-publication sensitive material over social platforms. For ordinary bugs, feature requests, documentation problems and non-sensitive security hardening suggestions, use the relevant public issue tracker.