Quantova Bug Bounty Program
The Quantova Bug Bounty Program is a security research initiative focused on identifying weaknesses that could affect protocol behavior or network reliability. It provides a structured channel for reporting technical issues discovered in Quantova’s core systems, including node software, execution infrastructure, and supporting developer tooling.
Reported issues are evaluated through a managed disclosure process that prioritizes accuracy, impact assessment, and coordinated remediation. The program is intended to support continuous security review of the protocol as it evolves.
Contributors whose reports meet program requirements may be acknowledged and compensated in accordance with published security and disclosure policies.
In Scope
The scope of the program includes vulnerabilities that alter or undermine expected protocol operation. This includes faults in consensus participation under NPoS, governance logic, peer communication, and network coordination that could affect correctness or safety.
Issues involving QVM execution semantics, transaction validation, state transition logic, cryptographic enforcement, and protocol defined rules are eligible. The scope also extends to client implementations, custom libraries, compilers, developer tooling, and applications that interface with QVM, PQR, staking, or governance components when defects could cause divergence from protocol defined behavior.
Where applicability is uncertain, researchers should contact the Quantova security team prior to disclosure. All submissions are expected to follow coordinated disclosure practices and use secure communication channels for sensitive material.
Specification Level Issues
Quantova publishes formal specifications describing expected behavior of the QVM execution environment and the network’s consensus and staking mechanisms. Vulnerabilities that arise from gaps, ambiguities, or inconsistencies within these specifications are considered in scope.
Reviewers are encouraged to compare documented behavior with implementable behavior across clients and tooling to identify cases where protocol rules could be interpreted or enforced inconsistently.
Reference specifications
- QVM Execution Specifications https //docs.quantova.org/qvm/specification
- Consensus and NPoS Specifications https //docs.quantova.org/qvm/specification
- Annotated Design Notes https //research.quantova.org/
Relevant Issue Types
This includes issues that affect chain agreement or finality, enable service degradation, or introduce resource exhaustion paths. Findings may also involve conflicting assumptions between protocol components, unintended validator penalties under normal conditions, or incorrect parameterization and calculations that could lead to divergent execution.
Client Implementation Issues
Quantova clients are responsible for enforcing protocol rules defined by QVM and consensus specifications. Issues arising from incorrect implementation, unsafe behavior, or deviation from documented protocol logic are within scope.
All production ready node, execution, and validator clients are included, with additional implementations added as they complete security review.
Relevant Issue Types
This includes specification non compliance, unexpected crashes or service disruption, remote execution risks, and defects that could cause persistent chain divergence or validator desynchronization.
Language and Compiler Issues
Compilers and language tooling that target QVM are within scope of the Quantova Bug Bounty Program. Reports should focus on issues that result in incorrect bytecode generation, unexpected execution behavior, or divergence from documented QVM semantics.
Submissions must include sufficient detail to reproduce the issue, such as the input program, affected compiler version, target QVM configuration, execution environment, and clear reproduction steps. Issues limited to compiler crashes caused by intentionally malformed or untrusted input are not considered eligible unless they lead to incorrect execution or protocol impact.
Deposit Contract Issues
The specifications and on chain source code governing Quantova’s deposit and staking entry mechanisms are included within the scope of the bug bounty program. Findings related to incorrect validation, accounting errors, or state transitions affecting validator onboarding or stake handling are eligible for review.
Reference materials,
- Deposit Contract Specification https //docs.quantova.org/qvm/specification
- Deposit Contract Source Code https //github.com/quantova
Dependency Issues
Certain third party libraries and protocol dependencies are critical to the correct operation of the Quantova network. Vulnerabilities within these dependencies are considered in scope when they affect QVM execution, cryptographic verification, consensus behavior, or protocol integrity.
The set of eligible dependencies is defined and maintained in Quantova’s public repositories, and may change as components are added, updated, or deprecated.
Reference materials,
- Quantova Protocol Dependencies https //github.com/quantova
- QVM Cryptographic Libraries https //github.com/quantova
Vulnerability Severity Qualifications
Severity is assessed based on a discovered vulnerability’s ability to do the following,
Low severity
Slash more than 0.01% of active validators under Quantova NPoS
Trivially cause execution divergence or network splits affecting more than 0.01% of participating nodes
Be able to disrupt more than 0.01% of the network by sending a single network message or on chain transaction processed by QVM
Medium severity
Slash more than 1% of active validators under Quantova NPoS
Trivially cause execution divergence or network splits affecting more than 5% of the network
Be able to disrupt more than 5% of the network by sending a single network message or on chain transaction processed by QVM
High severity
Slash more than 33% of active validators under Quantova NPoS
Trivially cause execution divergence or network splits affecting more than 33% of the network
Be able to disrupt more than 33% of the network by sending a single network message or on chain transaction processed by QVM
Critical severity
Slash more than 50% of active validators
Exploit a QVM specification or client implementation flaw to mint unauthorized QTOV or protocol governed assets that reach finality
Extract, corrupt, or permanently destroy assets across a broad set of accounts through protocol level failure
Disable the Quantova network by submitting a single malicious on chain transaction that causes systemic client or execution layer failure
Out of Scope
Only items explicitly listed as in scope are covered by the Quantova Bug Bounty Program. The following submissions do not qualify.
Issues related to general infrastructure such as websites, DNS, email systems, or hosting services*
QRC20 token contract logic or application specific smart contract bugs*
Naming, identity, or registry services operated by external foundations or third parties
Vulnerabilities that require users to expose public APIs, including unrestricted RPC endpoints
Typographical errors, documentation issues, or non executable artifacts
Test environments or non production code
Denial of service scenarios requiring sustained resource usage or repeated interaction
Issues that are already publicly disclosed through repositories, forums, commits, or public communications
*In limited cases, the Quantova security team may assist with responsible disclosure to relevant maintainers.
Submit a Bug
Valid security reports submitted to Quantova may be eligible for rewards.
Reward assessment is based on the severity of the issue and its potential impact on the Quantova network. Severity is evaluated using a risk based model aligned with the OWASP Risk Assessment Framework, considering both execution impact within QVM and likelihood of exploitation.
Additional factors considered during review include,
Quality of description
Clear and technically precise reports that identify affected QVM, PQR, or protocol components are prioritized.
Reproducibility
A proof of concept is required. Submissions should include sufficient detail, test cases, or scripts to reproduce the issue in a QVM compatible environment.
Remediation insight
Where applicable, proposed mitigations or fixes may be included and will be considered during assessment.
All submissions are reviewed under coordinated disclosure practices.
Low Severity
Up to 2,000 USD
Up to 1,000 points
Severity profile
Low execution impact with medium likelihood, or medium impact with low likelihood.
Example
An attacker can intermittently place a QVM node into a degraded execution state that causes a validator to miss a small fraction of transaction attestations or execution confirmations without affecting finality.
Medium Severity
Up to 10,000 USD
Up to 5,000 points
Severity profile
High impact with low likelihood, medium impact with medium likelihood, or low impact with high likelihood.
Example
An attacker can reliably isolate QVM nodes with specific networking or identity characteristics, degrading peer connectivity and execution propagation without fully halting consensus.
High Severity
Up to 50,000 USD
Up to 10,000 points
Severity profile
High impact with medium likelihood, or medium impact with high likelihood.
Example
An attacker can partition a significant portion of the Quantova network, disrupting QVM execution consistency or validator coordination in a way that is straightforward to trigger under realistic conditions.
Critical Severity
Up to 250,000 USD
Up to 25,000 points
Severity profile
High impact with high likelihood.
Example
An attacker can achieve remote code execution, arbitrary state manipulation, or deterministic consensus failure in a widely used Quantova client or QVM execution path with minimal effort.
Bug Hunting Rules
The Quantova Bug Bounty Program is a discretionary security disclosure initiative intended to support responsible identification and reporting of vulnerabilities affecting the Quantova protocol. Covered components include QVM execution, QRC20 standards, consensus and validator mechanisms, governance processes, client implementations, and related infrastructure. The program does not constitute a competition or contractual entitlement. Quantova may amend, suspend, or terminate the program at its discretion. All rewards are issued solely at the determination of the Quantova Security Review Panel.
Quantova does not provide rewards to individuals or entities subject to applicable sanctions regimes or located in sanctioned jurisdictions. Where required by law, identity verification may be requested prior to any award. Participants are solely responsible for all tax obligations and regulatory compliance associated with any reward received.
Security testing must be conducted in accordance with applicable law and ethical research standards. Testing activities must not involve unauthorized access, disruption, or exposure of systems, data, or assets not owned or expressly authorized by the researcher. Testing must be limited to local environments, designated test networks, or explicitly permitted resources.
Submissions must include a reproducible proof of concept sufficient to validate the reported issue. Reports that are duplicative, incomplete, previously disclosed, or already known to Quantova maintainers are not eligible for rewards. Any public disclosure or third party sharing of vulnerability details without prior coordinated disclosure disqualifies the submission.
Employees, contractors, and affiliates of Quantova or in scope client teams may participate for review or recognition purposes but are not eligible for monetary awards.
All determinations regarding eligibility, severity classification, execution impact scoring, reward issuance, and final disposition are made exclusively by the Quantova Security Review Panel and are final.
QVM Execution Security Leaderboard
Recognizing verified contributors who strengthen QVM execution correctness,
protocol enforcement, and network resilience.
Consensus Layer Security Leaderboard
Recognizing verified contributors who strengthen Quantova consensus integrity
&
validator coordination.
A strong submission clearly describes the issue, identifies the affected component within QVM, QRC20, consensus, or supporting infrastructure, and explains the execution or protocol impact. Reports should include a reproducible proof of concept, expected versus observed behavior, and sufficient detail for independent verification.
The Quantova Bug Bounty Program operates on an ongoing basis and is not bound to a fixed duration. Submissions are accepted as long as the program remains active, subject to updates or termination at Quantova’s discretion.
Rewards are issued following validation and severity assessment by the Quantova Security Review Panel. Distribution methods and formats are determined by Quantova and may vary based on jurisdictional, legal, or operational considerations.
Contributors may choose to decline recognition or request alternative handling of rewards, subject to program rules and legal constraints. Any such requests are reviewed on a case by case basis during the disclosure process.
All submissions are reviewed, but response times may vary depending on complexity, severity, and verification requirements. Contributors are encouraged to allow reasonable time for triage before following up.
Anonymous submissions are accepted; however, anonymity may limit eligibility for certain rewards due to legal or verification requirements. Contributors may request exclusion from public recognition where permitted.
Points reflect the assessed impact and validity of verified submissions. Scoring is based on execution impact, protocol risk, and reproducibility under the QVM execution impact model, rather than submission volume.
Yes. Quantova supports encrypted communication for responsible disclosure to protect sensitive technical details during review and remediation. Secure submission practices are strongly encouraged for all reports.
Questions?
Contact the Quantova Security team at bounty@quantova.org
for vulnerability reporting program inq
