Skip to content

scope.md

Latest commit

 

History

History
73 lines (57 loc) · 3.42 KB

scope.md

File metadata and controls

73 lines (57 loc) · 3.42 KB

Scope

The authoritative in-scope and out-of-scope definition for the Quantova bug bounty and security policy. Where the Quantova bug bounty page or the HackenProof program define scope, those govern.

Network note. Quantova is on testnet ahead of mainnet. Test on the public testnet with your own accounts. Items differing between testnet and mainnet are noted.

In scope

Protocol (consensus, finality, runtime, networking)

  • Deterministic, provable finality and the conditions under which it could be broken.
  • Deterministic (no-VRF) slot leadership and any way to manipulate authorship.
  • Nominated Proof-of-Stake election, staking, and slashing logic.
  • The randomness path sourced from post-quantum primitives.
  • P2P networking issues that affect sync or consensus.
  • Forkless runtime-upgrade / on-chain governance mechanisms.

Cryptography

  • The post-quantum signing path: Dilithium (ML-DSA), Falcon (FN-DSA), SPHINCS+ (SLH-DSA).
  • Validator/finality Falcon authority keys.
  • Signature malleability, forgery, or verification bypass (including in precompiles).
  • SHA3-256 usage where a weakness would have security impact.

Quantova Virtual Machine & first-party contracts

  • The QVM execution environment and gas/QGAS metering where exploitable.
  • First-party standards and contracts, including QRC20 and its post-quantum permit / nonce (replay) logic.
  • Native precompiles (signature-verify, hashing, QNS, QTE).

Bridges

  • Cross-chain deposit/withdrawal logic, including mint-without-lock and double-claim.
  • Forging or replaying finality-anchored withdrawal proofs.
  • Relayer trust assumptions (e.g. TRON trusted-relayer route).

Wallet (Qmask.io)

  • Private-key exposure, insecure key storage, or key derivation flaws.
  • Signing of payloads the user did not intend; transaction tampering.

Node software & RPC

  • Remotely triggerable crashes or consensus-affecting node bugs.
  • Unsafe exposure of the q_ JSON-RPC surface or dev/unsafe methods.

Web properties (where they affect user security)

  • quantova.org and official sub-properties where a flaw leads to account/fund compromise (e.g. auth bypass, stored XSS with real impact). Informational/UX issues are out of scope.

Out of scope

  • Third-party applications, contracts, wallets, bridges, or services not published by Quantova.
  • Social engineering of Quantova employees, contractors, validators, or users; phishing.
  • Physical attacks against people, offices, or data centers.
  • Volumetric DoS/DDoS, traffic floods, and spam.
  • Output from automated scanners without a demonstrated, realistic exploit.
  • Issues already known to Quantova, already reported, or already public.
  • Best-practice or "missing header/hardening" reports without a concrete security impact.
  • Self-inflicted issues (e.g. losing your own keys), or attacks requiring privileged access you already control.
  • UI/UX bugs, spelling/localization errors, and non-security defects.
  • Vulnerabilities in out-of-date software without a working proof-of-concept.

How scope changes

Scope evolves as Quantova approaches and reaches mainnet. The current, binding scope is always the one published on the Quantova bug bounty page and the HackenProof program.

© 2026 Quantova Inc.