{"id":2311459,"date":"2026-02-17T19:23:30","date_gmt":"2026-02-17T19:23:30","guid":{"rendered":"https:\/\/aivaulttech.com\/?page_id=2311459"},"modified":"2026-02-17T19:23:30","modified_gmt":"2026-02-17T19:23:30","slug":"responsible-disclosure-vulnerability-disclosure-policy","status":"publish","type":"page","link":"https:\/\/aivaulttech.com\/el\/responsible-disclosure-vulnerability-disclosure-policy","title":{"rendered":"Responsible Disclosure &#038; Vulnerability Disclosure Policy"},"content":{"rendered":"<p><strong>AI Vault Systems Inc.<\/strong> <br>(Operating in the United States and European Union via AI Vault Iberia S.L)<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">1. Purpose<\/h2>\n\n\n\n<p>AI Vault Systems Inc. (\u201cAI Vault\u201d, \u201cCompany\u201d, \u201cwe\u201d, \u201cour\u201d) maintains a coordinated vulnerability disclosure program to ensure the security, integrity, and resilience of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Our AI data infrastructure<\/li>\n\n\n\n<li>Cloud systems and APIs<\/li>\n\n\n\n<li>Web and mobile applications<\/li>\n\n\n\n<li>Smart contracts and blockchain integrations<\/li>\n\n\n\n<li>The Virdato (VIRD) utility token ecosystem<\/li>\n\n\n\n<li>Token distribution and reward mechanisms<\/li>\n<\/ul>\n\n\n\n<p>We support responsible security research and encourage coordinated disclosure consistent with applicable U.S. law and the European Union Markets in Crypto-Assets Regulation (MiCA).<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">2. Regulatory Context (EU MiCA &amp; U.S.)<\/h2>\n\n\n\n<p>AI Vault Systems Inc. is incorporated in Delaware (United States) and may operate or offer services within the European Union.<\/p>\n\n\n\n<p>Where applicable, Virdato (VIRD) is issued as a&nbsp;<strong>utility token<\/strong>&nbsp;under Regulation (EU) 2023\/1114 (MiCA).<\/p>\n\n\n\n<p>In alignment with MiCA requirements:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Material operational or security incidents affecting the crypto-asset ecosystem may require regulatory notification.<\/li>\n\n\n\n<li>Significant cybersecurity events may require disclosure to competent EU authorities.<\/li>\n\n\n\n<li>Security weaknesses affecting token holders may require transparent communication.<\/li>\n<\/ul>\n\n\n\n<p>Nothing in this policy limits mandatory regulatory reporting obligations under:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>MiCA<\/li>\n\n\n\n<li>GDPR<\/li>\n\n\n\n<li>EU cybersecurity frameworks<\/li>\n\n\n\n<li>U.S. federal or state law<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Scope<\/h2>\n\n\n\n<p>This policy applies to vulnerabilities affecting:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">A. AI Vault Data Infrastructure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AI processing systems<\/li>\n\n\n\n<li>Creator reward systems<\/li>\n\n\n\n<li>Data ingestion pipelines<\/li>\n\n\n\n<li>Backend services and APIs<\/li>\n\n\n\n<li>Authentication systems<\/li>\n\n\n\n<li>Databases<\/li>\n\n\n\n<li>Cloud infrastructure<\/li>\n\n\n\n<li>Analytics engines<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">B. Virdato (VIRD) Utility Token Ecosystem<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Smart contracts (all supported networks)<\/li>\n\n\n\n<li>Token claim logic<\/li>\n\n\n\n<li>Reward threshold algorithms<\/li>\n\n\n\n<li>Off-chain validation services<\/li>\n\n\n\n<li>Token dashboards<\/li>\n\n\n\n<li>Wallet integrations<\/li>\n\n\n\n<li>Token distribution systems<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Incident Classification Tiers<\/h2>\n\n\n\n<p>Security incidents are internally classified as follows:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd34 Critical<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Smart contract exploit enabling token drain<\/li>\n\n\n\n<li>Unauthorized minting or inflation<\/li>\n\n\n\n<li>Compromise of private keys<\/li>\n\n\n\n<li>Mass exposure of personal data<\/li>\n\n\n\n<li>Systemic infrastructure breach<\/li>\n\n\n\n<li>Exploits affecting token economics<\/li>\n<\/ul>\n\n\n\n<p>Response target: Immediate containment and emergency remediation.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udfe0 High<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Privilege escalation vulnerabilities<\/li>\n\n\n\n<li>Bypass of authentication controls<\/li>\n\n\n\n<li>Exposure of sensitive operational data<\/li>\n\n\n\n<li>Significant reward manipulation risk<\/li>\n\n\n\n<li>Major API exploitation<\/li>\n<\/ul>\n\n\n\n<p>Response target: Accelerated remediation and potential regulatory review.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udfe1 Medium<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Information disclosure with limited impact<\/li>\n\n\n\n<li>Non-critical smart contract logic issues<\/li>\n\n\n\n<li>Rate limit bypass<\/li>\n\n\n\n<li>Minor reward miscalculation<\/li>\n<\/ul>\n\n\n\n<p>Response target: Scheduled remediation.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udfe2 Low<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cosmetic issues<\/li>\n\n\n\n<li>Non-exploitable bugs<\/li>\n\n\n\n<li>Minor configuration weaknesses<\/li>\n<\/ul>\n\n\n\n<p>Response target: Maintenance cycle resolution.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Reporting a Vulnerability<\/h2>\n\n\n\n<p>If you identify a vulnerability, you agree to:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Notify us promptly at:<br><strong><a>security@aivaultsystems.com<\/a><\/strong><\/li>\n\n\n\n<li>Provide:\n<ul class=\"wp-block-list\">\n<li>Detailed description<\/li>\n\n\n\n<li>Steps to reproduce<\/li>\n\n\n\n<li>Affected URLs or contract addresses<\/li>\n\n\n\n<li>Transaction hashes (if applicable)<\/li>\n\n\n\n<li>Proof-of-concept evidence<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Refrain from:\n<ul class=\"wp-block-list\">\n<li>Accessing user data<\/li>\n\n\n\n<li>Draining or claiming tokens<\/li>\n\n\n\n<li>Modifying system data<\/li>\n\n\n\n<li>Conducting denial-of-service testing<\/li>\n\n\n\n<li>Exploiting reward systems<\/li>\n\n\n\n<li>Manipulating liquidity pools<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Allow reasonable time for remediation before public disclosure.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Smart Contract &amp; Token-Specific Rules<\/h2>\n\n\n\n<p>For Virdato-related vulnerabilities:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Do not execute token extraction or liquidity drains<\/li>\n\n\n\n<li>Do not manipulate reward thresholds<\/li>\n\n\n\n<li>Do not interfere with token supply<\/li>\n\n\n\n<li>Do not attempt economic arbitrage<\/li>\n<\/ul>\n\n\n\n<p>If a vulnerability impacts token holders, coordinated disclosure is required before public communication.<\/p>\n\n\n\n<p>Unauthorized token manipulation may constitute fraud or market abuse under EU and U.S. law.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Safe Harbor<\/h2>\n\n\n\n<p>AI Vault will not pursue legal action against researchers who:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Act in good faith<\/li>\n\n\n\n<li>Avoid privacy violations<\/li>\n\n\n\n<li>Avoid financial exploitation<\/li>\n\n\n\n<li>Comply with this policy<\/li>\n<\/ul>\n\n\n\n<p>Safe harbor does not apply to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Token extraction<\/li>\n\n\n\n<li>Market manipulation<\/li>\n\n\n\n<li>Data harvesting<\/li>\n\n\n\n<li>Service disruption<\/li>\n\n\n\n<li>Intentional financial gain<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Investigation &amp; Regulatory Escalation<\/h2>\n\n\n\n<p>Upon receipt of a valid report, we will:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Acknowledge receipt within a reasonable timeframe<\/li>\n\n\n\n<li>Investigate and validate findings<\/li>\n\n\n\n<li>Classify severity<\/li>\n\n\n\n<li>Remediate confirmed vulnerabilities<\/li>\n\n\n\n<li>Escalate to legal and compliance review if required<\/li>\n\n\n\n<li>Notify regulators if required under MiCA or applicable law<\/li>\n<\/ul>\n\n\n\n<p>Where MiCA requires notification of a significant incident affecting crypto-asset holders, AI Vault reserves the right to notify competent authorities without delay.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Public Disclosure<\/h2>\n\n\n\n<p>Researchers must not publicly disclose vulnerabilities until:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Remediation is confirmed, OR<\/li>\n\n\n\n<li>A mutually agreed disclosure timeline has passed<\/li>\n<\/ul>\n\n\n\n<p>Premature disclosure that causes financial harm, token disruption, or regulatory exposure may void safe harbor protections.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">10. No Financial Reward Guarantee<\/h2>\n\n\n\n<p>AI Vault may recognize valid security disclosures at its discretion.<\/p>\n\n\n\n<p>This policy does not:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Establish a bounty program<\/li>\n\n\n\n<li>Create contractual obligations<\/li>\n\n\n\n<li>Guarantee financial compensation<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Legal Notice<\/h2>\n\n\n\n<p>This policy does not authorize:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Unauthorized system access<\/li>\n\n\n\n<li>Token manipulation<\/li>\n\n\n\n<li>Economic exploitation<\/li>\n\n\n\n<li>Circumvention of technical controls<\/li>\n\n\n\n<li>Violation of EU or U.S. cybersecurity laws<\/li>\n<\/ul>\n\n\n\n<p>All testing must remain within lawful boundaries.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Contact Information<\/h2>\n\n\n\n<p>Security Reports:<br>\u00a0<a>security@aivaultsystems.com<\/a><\/p>\n\n\n\n<p>Corporate Entity:<br>AI Vault Systems Inc.<br>Delaware, United States<\/p>\n\n\n\n<p>EU Operational Presence:<br>AI Vault Iberia S.L in Barcelona, Spain<\/p>","protected":false},"excerpt":{"rendered":"<p>AI Vault Systems Inc. (Operating in the United States and European Union via AI Vault Iberia S.L) 1. Purpose AI Vault Systems Inc. (\u201cAI Vault\u201d, \u201cCompany\u201d, \u201cwe\u201d, \u201cour\u201d) maintains a coordinated vulnerability disclosure program to ensure the security, integrity, and resilience of: We support responsible security research and encourage coordinated disclosure consistent with applicable U.S. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-2311459","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/aivaulttech.com\/el\/wp-json\/wp\/v2\/pages\/2311459","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aivaulttech.com\/el\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/aivaulttech.com\/el\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/aivaulttech.com\/el\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aivaulttech.com\/el\/wp-json\/wp\/v2\/comments?post=2311459"}],"version-history":[{"count":1,"href":"https:\/\/aivaulttech.com\/el\/wp-json\/wp\/v2\/pages\/2311459\/revisions"}],"predecessor-version":[{"id":2281459,"href":"https:\/\/aivaulttech.com\/el\/wp-json\/wp\/v2\/pages\/2311459\/revisions\/2281459"}],"wp:attachment":[{"href":"https:\/\/aivaulttech.com\/el\/wp-json\/wp\/v2\/media?parent=2311459"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}