A PGP key rotation policy was implemented for established vendor accounts on September 3, 2025. Vendors who have been operational on the platform for more than 12 months began receiving automated notifications recommending key rotation, along with documentation explaining the process and rationale. The policy addresses a genuine security risk: long-lived PGP keys that have been in use for extended periods carry a higher risk of compromise through key extraction malware, poor storage practices, or hardware failure. Rotating keys periodically limits the window of exposure if a private key is ever compromised. The rotation process is straightforward: vendors generate a new PGP keypair, upload the new public key to their profile, and publish a transitional message signed with both the old and new private keys to confirm continuity of identity. Buyers who have the vendor's old public key stored locally are advised to import the new key and verify the transition signature. The policy is currently a recommendation rather than a requirement, but platform documentation notes that mandatory rotation intervals may be introduced for higher-risk account tiers in the future. The rotation notification system was implemented as part of the broader security infrastructure improvements deployed throughout summer 2025, alongside the 2FA upgrade and anti-DDoS overhaul.
Stay informed on our News Index. For verified access links visit Enter Marketplace.