BUG BOUNTY PROGRAM

MiCA-Aligned | Delaware Corporate Governance Framework

Effective Date: 17 February 2026
Last Updated: 17 February 2026

Responsible Disclosure & Bug Bounty Program

AI Vault Systems Inc. (“AI Vault,” “Company,” “we,” “us,” or “our”) is committed to maintaining strong cybersecurity controls, operational resilience, and integrity across its digital infrastructure and the Virdato (VIRD) utility token ecosystem.

This Responsible Disclosure Program establishes an authorized channel for coordinated vulnerability disclosure and defines eligibility criteria for discretionary recognition and rewards.

This program is structured to align with:

  • EU Digital Operational Resilience principles
  • Markets in Crypto-Assets (MiCA) operational risk expectations
  • GDPR data protection requirements
  • U.S. cybersecurity best practices
  • Delaware corporate governance standards

1. Purpose

The purpose of this program is to:

  • Encourage responsible security research
  • Identify vulnerabilities before malicious exploitation
  • Strengthen platform integrity and user trust
  • Support operational resilience in a regulated digital asset environment

2. Scope

A. Infrastructure

  • Production web applications
  • Backend services and microservices
  • Authentication & identity systems
  • Data processing pipelines
  • Cloud hosting environments
  • CI/CD and deployment logic

B. APIs

  • Public and private API endpoints
  • Access control logic
  • Rate limiting controls
  • Reward calculation engines
  • Signature validation systems

C. Blockchain & Token Systems

  • Virdato (VIRD) smart contracts
  • Reward distribution logic
  • Claim thresholds and vesting controls
  • Gas efficiency logic (where exploitable)
  • On-chain/off-chain synchronization mechanisms

D. Integrations

  • Third-party wallet connectors
  • Payment processors (where under Company control)
  • Oracle integrations

3. Out of Scope

  • Denial-of-service attacks without demonstrated security bypass
  • Social engineering attempts
  • Physical security testing
  • Economic speculation or token price manipulation
  • Third-party services not under Company control
  • Automated scans without validated exploitability
  • Theoretical vulnerabilities requiring unrealistic threat models

4. Responsible Disclosure Requirements

To qualify under this program, researchers must:

  • Submit findings privately to: security@aivaultsystems.com
  • Provide clear reproduction steps
  • Include proof-of-concept evidence
  • Describe technical impact
  • Estimate CVSS v3.1 score where possible
  • Identify affected contracts, endpoints, or components

Researchers must NOT:

  • Exfiltrate user data
  • Exploit vulnerabilities for financial gain
  • Mint tokens or manipulate reward pools
  • Disrupt services beyond minimal proof-of-concept
  • Disclose findings publicly prior to coordinated remediation

5. Safe Harbor

If you act in good faith and strictly within the scope of this policy:

  • AI Vault will not pursue civil litigation
  • The Company will not refer compliant research to law enforcement
  • Security testing conducted under this program is considered authorized

Safe harbor applies only to actions fully compliant with this policy.

6. Severity Classification Framework

Vulnerabilities are assessed using a hybrid evaluation model incorporating:

  • CVSS v3.1 scoring
  • Smart contract risk exposure
  • Token economic impact
  • Data exposure magnitude
  • Privilege escalation potential
  • Regulatory and operational exposure

Severity Levels

Critical (CVSS 9.0–10.0)
  • Unauthorized token minting
  • Reward pool drain
  • Admin key compromise
  • Authentication bypass with systemic impact
High (CVSS 7.0–8.9)
  • Signature replay
  • Privilege escalation
  • Major reward logic bypass
Medium (CVSS 4.0–6.9)
  • Rate-limit bypass
  • Limited data exposure
  • Non-critical logic flaws
Low (0.1–3.9)
  • Configuration issues
  • Cosmetic API disclosures

7. Bug Bounty Reward Structure (Discretionary)

All rewards are discretionary and based on verified impact.

Severity Indicative Range (USD)
Critical $5,000 – $25,000+
High $1,000 – $5,000
Medium $250 – $1,000
Low Public acknowledgment

Rewards may be issued in:

  • USD (wire transfer)
  • EUR (SEPA transfer)
  • VIRD utility tokens (Company discretion)

Participation does not create employment, partnership, fiduciary, or contractual rights.

8. Incident Response Timeline

  • Acknowledgment: within 72 hours
  • Initial triage: 3–7 business days
  • Critical remediation: 7–21 days
  • High remediation: 14–30 days
  • Medium/Low remediation: 30–60 days

Timelines may accelerate where systemic or token integrity risk exists.

9. Confidentiality & Coordinated Disclosure

Reports are treated confidentially. Public disclosure may occur only after remediation and coordinated agreement.

10. Regulatory Positioning

This program supports proactive ICT risk mitigation consistent with EU digital operational resilience principles. Nothing herein constitutes regulatory admission, crypto-asset service classification, or financial instrument status.

11. Delaware Corporate Notice

AI Vault Systems Inc. is incorporated in Delaware, United States. This program does not create contractual, employment, or partnership relationships. All disputes are governed by Delaware law unless mandatory EU protections apply.

12. Secure Reporting (PGP)

Researchers are encouraged to encrypt sensitive submissions.

Email: security@aivaultsystems.com
Key Type: RSA 4096
Fingerprint: [INSERT FINGERPRINT]

-----BEGIN PGP PUBLIC KEY BLOCK-----
[INSERT PUBLIC KEY HERE]
-----END PGP PUBLIC KEY BLOCK-----