Scope
- QuantumProof wallet extension, desktop builds, and signing APIs.
- On-chain contracts: staking, AMM, bridge escrow, governance registries.
- Node operator dashboard and validator telemetry endpoints.
- QuantumScan explorer (REST and WebSocket surfaces).
Out of scope: social engineering, third-party services, and bugs that require rooted devices.
Reward Tiers
| Impact | Reward (QP) | Notes |
|---|---|---|
| Critical | 50,000+ | Direct theft, protocol halting, signature bypass. |
| High | 15,000 | Validator slashing risk, cross-account access, permanent fund lock. |
| Medium | 5,000 | Privilege escalation, persistent spoofing, fund freeze. |
| Low | 1,000 | Information leaks, input validation issues. |
Payouts can be denominated in QP or USDT equivalents. Responsible disclosure is required for eligibility.
Submission Checklist
- Proof-of-concept with reproduction steps, impact assessment, and suggested mitigation.
- Testnet transaction IDs or screenshots for wallet/contract bugs.
- Environment details (OS, browser, wallet version, node version).
- PGP public key if you prefer encrypted follow-up.
Email security@qqp.io or use the in-wallet “Report Issue” flow. Please allow up to 3 business days for acknowledgement.
Hall of Fame
Researchers who responsibly disclose critical issues are featured in our quarterly security report and receive exclusive QuantumProof jackets.