Here's our trust model and safeguards:

Trust Minimization:

- Sigbash can't move your funds on its own - it's just one key in your multisig setup
- We don't know what funds you're protecting until you request a signature
- Every xpub comes with a cryptographically signed receipt proving its conditions
- Our receipts are timestamped on the Bitcoin blockchain via OpenTimestamps

If Sigbash doesn't sign when it should: Contact support at sigbashsupport@proton.me with your signed receipt. We recommend having backup plans like timelocked recovery paths in your wallet setup.

If Sigbash signs when it shouldn't: This would require a significant breach of our security model. Our reputation as a service depends on never violating signing conditions, which is why we provide GPG-signed receipts attesting to them.