Quantova takes the security of its protocol, smart-contract platform, bridges, wallet, and infrastructure seriously. This document explains how to report a vulnerability and what to expect in return.

Please do not report security vulnerabilities through public GitHub issues, pull requests, discussions, or social media.

Report through one of the official channels:

1. Quantova bug bounty page (primary): https://quantova.org/bug-bounty/
2. HackenProof program: https://hackenproof.com/programs — Quantova runs its bug bounty program through HackenProof. Submitting there ensures your report is tracked, triaged, and eligible for a reward.
3. Encrypted email: security@quantova.org for sensitive reports that need encrypted handling. Use the Quantova security PGP key (see PGP key).

When you report, please include as much of the following as possible:

• A clear description of the issue and its security impact.
• The component affected (consensus, QVM, a specific contract, bridge, wallet, RPC, etc.).
• Step-by-step reproduction, including any proof-of-concept.
• The network and version/commit where you observed it (testnet vs. mainnet).
• Your assessment of severity and any suggested remediation.

Reward decisions, amounts, and payment are handled through the bug bounty program. See bug-bounty.md for the severity matrix and reward ranges.

A summary is below; the authoritative list is in scope.md.

In scope (high level): the Quantova protocol (consensus, finality, runtime, networking), the Quantova Virtual Machine and first-party contracts/standards (QRC20), cross-chain bridges, the Qmask.io wallet, the q_ JSON-RPC surface, and official node software.

Out of scope (high level): third-party applications and contracts not published by Quantova, social engineering of Quantova staff or users, physical attacks, volumetric DoS/DDoS, already-known issues, and findings without a realistic security impact.

Quantova supports good-faith security research. If you make a good-faith effort to comply with this policy and the bug bounty rules — stay within scope, avoid privacy violations and service disruption, and do not exploit beyond what is needed to prove the issue — Quantova will not pursue or support legal action against you for your research, and will treat it as authorized. If legal action is initiated by a third party against you for activity conducted under this policy, Quantova will make this authorization known.

You must still:

• Use only testnet and your own accounts/assets for testing wherever possible.
• Avoid accessing, modifying, or destroying data that is not yours.
• Avoid any action that degrades service for other users.
• Keep vulnerability details confidential until coordinated disclosure (see disclosure-policy.md).

Quantova is pre-mainnet. During testnet, the latest released testnet build is the supported target for security reports. Once mainnet launches, supported versions will be listed here, and only supported versions will receive security fixes.

For encrypted reports to security@quantova.org, request or retrieve the current Quantova security PGP public key via the official channels on https://quantova.org. Encrypt your report and any proof-of-concept to that key. (Replace this section with the published key fingerprint when available.)

Quantova practices coordinated disclosure: report privately, allow time to remediate, and disclose together. Public disclosure before a fix puts users at risk and may make a report ineligible for a reward. The full timeline is in disclosure-policy.md.

© 2026 Quantova Inc. The bug bounty terms published on the official program pages govern in case of any conflict with this document.