Security policy, vulnerability disclosure process, and bug bounty information for Quantova, the post-quantum Layer 1 for institutional settlement.
This repository is the canonical, public home for how to report a vulnerability to Quantova, what is in scope, how disclosure is coordinated, and where the bug bounty runs. It is written for security researchers, auditors, validators, and integrators.
Reporting a vulnerability? Do not open a public issue. Submit through one of the official channels in Report a Vulnerability below. Quantova follows coordinated disclosure.
Quantova accepts security reports through the following official channels. For anything that could affect funds, consensus, or user safety, use the bug bounty program so your report is tracked, triaged, and eligible for a reward.
| Channel | Use it for | Link |
|---|---|---|
| Quantova Bug Bounty (submissions) | The primary intake page for vulnerability submissions. | https://quantova.org/bug-bounty/ |
| HackenProof program | Quantova runs its bug bounty through HackenProof; submit, track, and get rewarded there. | https://hackenproof.com/programs |
| Direct security contact | Sensitive reports needing encrypted handling before a program submission. | security@quantova.org (PGP — see SECURITY.md) |
Full rules, scope, severity, and rewards are in bug-bounty.md and SECURITY.md.
| Document | What it covers |
|---|---|
| SECURITY.md | The security policy: how to report, coordinated-disclosure process, safe-harbor, PGP, and supported versions. |
| bug-bounty.md | The bug bounty program: scope, severity matrix, rewards, rules, and how to submit via the Quantova bug bounty page and HackenProof. |
| scope.md | Detailed in-scope and out-of-scope assets (protocol, QVM, bridges, wallet, infrastructure). |
| disclosure-policy.md | The coordinated-disclosure timeline and expectations for researchers and for Quantova. |
| threat-model.md | Quantova's security model, including its post-quantum posture and resistance to Shor's algorithm. |
| audits.md | Index of third-party security audits and their status. |
| hall-of-fame.md | Recognition for researchers who have responsibly disclosed issues. |
- Coordinated disclosure. Report privately, give Quantova time to remediate, then disclose together. See disclosure-policy.md.
- Bug bounty via HackenProof. Quantova holds its bug bounty program through HackenProof; the public submission entry point is the Quantova bug bounty page.
- Safe harbor. Good-faith research conducted within scope and these rules will not be pursued legally. See SECURITY.md.
- Post-quantum by design. Quantova's consensus and accounts use NIST post-quantum cryptography; the threat model explains what that protects.
Quantova is on testnet ahead of mainnet. Security research on the public testnet is welcome and encouraged. Where scope or rewards differ between testnet and mainnet, that is stated explicitly in bug-bounty.md and scope.md.
- Website: https://quantova.org
- Bug bounty (submissions): https://quantova.org/bug-bounty/
- HackenProof programs: https://hackenproof.com/programs
- Developer documentation: https://quantova.org/static/pdfjs/web/viewer.html?file=/static/pdf/Gitbook-Quantova-Developer-Documentation.pdf#nameddest=cover&page=1&pagemode=bookmarks
© 2026 Quantova Inc. See LICENSE.md. This documentation does not constitute legal advice; the bug bounty terms on the official program pages govern in case of any conflict.