AI Vault Systems Inc.
(Operating in the United States and European Union via AI Vault Iberia S.L)

1. Purpose

AI Vault Systems Inc. (“AI Vault”, “Company”, “we”, “our”) maintains a coordinated vulnerability disclosure program to ensure the security, integrity, and resilience of:

  • Our AI data infrastructure
  • Cloud systems and APIs
  • Web and mobile applications
  • Smart contracts and blockchain integrations
  • The Virdato (VIRD) utility token ecosystem
  • Token distribution and reward mechanisms

We support responsible security research and encourage coordinated disclosure consistent with applicable U.S. law and the European Union Markets in Crypto-Assets Regulation (MiCA).

2. Regulatory Context (EU MiCA & U.S.)

AI Vault Systems Inc. is incorporated in Delaware (United States) and may operate or offer services within the European Union.

Where applicable, Virdato (VIRD) is issued as a utility token under Regulation (EU) 2023/1114 (MiCA).

In alignment with MiCA requirements:

  • Material operational or security incidents affecting the crypto-asset ecosystem may require regulatory notification.
  • Significant cybersecurity events may require disclosure to competent EU authorities.
  • Security weaknesses affecting token holders may require transparent communication.

Nothing in this policy limits mandatory regulatory reporting obligations under:

  • MiCA
  • GDPR
  • EU cybersecurity frameworks
  • U.S. federal or state law

3. Scope

This policy applies to vulnerabilities affecting:

A. AI Vault Data Infrastructure

  • AI processing systems
  • Creator reward systems
  • Data ingestion pipelines
  • Backend services and APIs
  • Authentication systems
  • Databases
  • Cloud infrastructure
  • Analytics engines

B. Virdato (VIRD) Utility Token Ecosystem

  • Smart contracts (all supported networks)
  • Token claim logic
  • Reward threshold algorithms
  • Off-chain validation services
  • Token dashboards
  • Wallet integrations
  • Token distribution systems

4. Incident Classification Tiers

Security incidents are internally classified as follows:

🔴 Critical

  • Smart contract exploit enabling token drain
  • Unauthorized minting or inflation
  • Compromise of private keys
  • Mass exposure of personal data
  • Systemic infrastructure breach
  • Exploits affecting token economics

Response target: Immediate containment and emergency remediation.

🟠 High

  • Privilege escalation vulnerabilities
  • Bypass of authentication controls
  • Exposure of sensitive operational data
  • Significant reward manipulation risk
  • Major API exploitation

Response target: Accelerated remediation and potential regulatory review.

🟡 Medium

  • Information disclosure with limited impact
  • Non-critical smart contract logic issues
  • Rate limit bypass
  • Minor reward miscalculation

Response target: Scheduled remediation.

🟢 Low

  • Cosmetic issues
  • Non-exploitable bugs
  • Minor configuration weaknesses

Response target: Maintenance cycle resolution.

5. Reporting a Vulnerability

If you identify a vulnerability, you agree to:

  1. Notify us promptly at:
    security@aivaultsystems.com
  2. Provide:
    • Detailed description
    • Steps to reproduce
    • Affected URLs or contract addresses
    • Transaction hashes (if applicable)
    • Proof-of-concept evidence
  3. Refrain from:
    • Accessing user data
    • Draining or claiming tokens
    • Modifying system data
    • Conducting denial-of-service testing
    • Exploiting reward systems
    • Manipulating liquidity pools
  4. Allow reasonable time for remediation before public disclosure.

6. Smart Contract & Token-Specific Rules

For Virdato-related vulnerabilities:

  • Do not execute token extraction or liquidity drains
  • Do not manipulate reward thresholds
  • Do not interfere with token supply
  • Do not attempt economic arbitrage

If a vulnerability impacts token holders, coordinated disclosure is required before public communication.

Unauthorized token manipulation may constitute fraud or market abuse under EU and U.S. law.

7. Safe Harbor

AI Vault will not pursue legal action against researchers who:

  • Act in good faith
  • Avoid privacy violations
  • Avoid financial exploitation
  • Comply with this policy

Safe harbor does not apply to:

  • Token extraction
  • Market manipulation
  • Data harvesting
  • Service disruption
  • Intentional financial gain

8. Investigation & Regulatory Escalation

Upon receipt of a valid report, we will:

  • Acknowledge receipt within a reasonable timeframe
  • Investigate and validate findings
  • Classify severity
  • Remediate confirmed vulnerabilities
  • Escalate to legal and compliance review if required
  • Notify regulators if required under MiCA or applicable law

Where MiCA requires notification of a significant incident affecting crypto-asset holders, AI Vault reserves the right to notify competent authorities without delay.

9. Public Disclosure

Researchers must not publicly disclose vulnerabilities until:

  • Remediation is confirmed, OR
  • A mutually agreed disclosure timeline has passed

Premature disclosure that causes financial harm, token disruption, or regulatory exposure may void safe harbor protections.

10. No Financial Reward Guarantee

AI Vault may recognize valid security disclosures at its discretion.

This policy does not:

  • Establish a bounty program
  • Create contractual obligations
  • Guarantee financial compensation

11. Legal Notice

This policy does not authorize:

  • Unauthorized system access
  • Token manipulation
  • Economic exploitation
  • Circumvention of technical controls
  • Violation of EU or U.S. cybersecurity laws

All testing must remain within lawful boundaries.

12. Contact Information

Security Reports:
 security@aivaultsystems.com

Corporate Entity:
AI Vault Systems Inc.
Delaware, United States

EU Operational Presence:
AI Vault Iberia S.L in Barcelona, Spain