PROGRAMME DE PRIMES À LA DÉTECTION DE BOGUES (BUG BOUNTY)

Cadre de gouvernance d'entreprise du Delaware aligné sur l'AMI

Date d'entrée en vigueur : 17 février 2026
Dernière mise à jour : 17 février 2026

Responsible Disclosure & Bug Bounty Program

AI Vault Systems Inc. (“AI Vault,” “Company,” “we,” “us,” or “our”) is committed to maintaining strong cybersecurity controls, operational resilience, and integrity across its digital infrastructure and the Virdato (VIRD) utility token ecosystem.

This Responsible Disclosure Program establishes an authorized channel for coordinated vulnerability disclosure and defines eligibility criteria for discretionary recognition and rewards.

Ce programme est structuré de manière à s'aligner sur :

  • Principes de la résilience opérationnelle numérique de l'UE
  • Markets in Crypto-Assets (MiCA) operational risk expectations
  • Exigences du GDPR en matière de protection des données
  • U.S. cybersecurity best practices
  • Normes de gouvernance d'entreprise du Delaware

1. Objet

The purpose of this program is to:

  • Encourage responsible security research
  • Identify vulnerabilities before malicious exploitation
  • Strengthen platform integrity and user trust
  • Support operational resilience in a regulated digital asset environment

2. Champ d'application

A. L'infrastructure

  • Applications web de production
  • Backend services and microservices
  • Authentication & identity systems
  • Pipelines de traitement des données
  • Environnements d'hébergement en nuage
  • CI/CD and deployment logic

B. API

  • Points d'accès publics et privés à l'API
  • Access control logic
  • Contrôles de limitation du débit
  • Reward calculation engines
  • Signature validation systems

C. Blockchain & Token Systems

  • Contrats intelligents Virdato (VIRD)
  • Logique de distribution des récompenses
  • Claim thresholds and vesting controls
  • Gas efficiency logic (where exploitable)
  • On-chain/off-chain synchronization mechanisms

D. Intégrations

  • Connecteurs de portefeuilles tiers
  • Payment processors (where under Company control)
  • Oracle integrations

3. Hors champ d'application

  • Attaques par déni de service sans contournement démontré de la sécurité
  • Tentatives d'ingénierie sociale
  • Tests de sécurité physique
  • Economic speculation or token price manipulation
  • Third-party services not under Company control
  • Analyses automatisées sans validation de l'exploitabilité
  • Theoretical vulnerabilities requiring unrealistic threat models

4. Exigences en matière de divulgation responsable

Pour bénéficier de ce programme, les chercheurs doivent

  • Submit findings privately to: security@aivaultsystems.com
  • Provide clear reproduction steps
  • Include proof-of-concept evidence
  • Describe technical impact
  • Estimate CVSS v3.1 score where possible
  • Identify affected contracts, endpoints, or components

Researchers must NOT:

  • Exfiltrate user data
  • Exploit vulnerabilities for financial gain
  • Mint tokens or manipulate reward pools
  • Disrupt services beyond minimal proof-of-concept
  • Disclose findings publicly prior to coordinated remediation

5. La sphère de sécurité

If you act in good faith and strictly within the scope of this policy:

  • AI Vault will not pursue civil litigation
  • The Company will not refer compliant research to law enforcement
  • Security testing conducted under this program is considered authorized

Safe harbor applies only to actions fully compliant with this policy.

6. Severity Classification Framework

Vulnerabilities are assessed using a hybrid evaluation model incorporating:

  • CVSS v3.1 scoring
  • Exposition au risque des contrats intelligents
  • Impact économique des jetons
  • Ampleur de l'exposition des données
  • Potentiel d'escalade des privilèges
  • Regulatory and operational exposure

Severity Levels

Critical (CVSS 9.0–10.0)
  • Frappe de jetons non autorisée
  • Reward pool drain
  • Admin key compromise
  • Authentication bypass with systemic impact
High (CVSS 7.0–8.9)
  • Signature replay
  • Privilege escalation
  • Major reward logic bypass
Medium (CVSS 4.0–6.9)
  • Rate-limit bypass
  • Limited data exposure
  • Non-critical logic flaws
Low (0.1–3.9)
  • Configuration issues
  • Cosmetic API disclosures

7. Bug Bounty Reward Structure (Discretionary)

All rewards are discretionary and based on verified impact.

Sévérité Indicative Range (USD)
Critique $5.000 - $25.000
Haut $1,000 - $5,000
Moyen $250 - $1 000
Faible Reconnaissance publique

Les récompenses peuvent être attribuées en :

  • USD (virement bancaire)
  • EUR (transfert SEPA)
  • VIRD utility tokens (Company discretion)

Participation does not create employment, partnership, fiduciary, or contractual rights.

8. Incident Response Timeline

  • Acknowledgment: within 72 hours
  • Initial triage: 3–7 business days
  • Critical remediation: 7–21 days
  • High remediation: 14–30 days
  • Medium/Low remediation: 30–60 days

Timelines may accelerate where systemic or token integrity risk exists.

9. Confidentiality & Coordinated Disclosure

Reports are treated confidentially. Public disclosure may occur only after remediation and coordinated agreement.

10. Regulatory Positioning

This program supports proactive ICT risk mitigation consistent with EU digital operational resilience principles. Nothing herein constitutes regulatory admission, crypto-asset service classification, or financial instrument status.

11. Delaware Corporate Notice

AI Vault Systems Inc. is incorporated in Delaware, United States. This program does not create contractual, employment, or partnership relationships. All disputes are governed by Delaware law unless mandatory EU protections apply.

12. Secure Reporting (PGP)

Researchers are encouraged to encrypt sensitive submissions.

Courriel : security@aivaultsystems.com
Key Type: RSA 4096
Fingerprint: [INSERT FINGERPRINT]

-----BEGIN PGP PUBLIC KEY BLOCK-----
[INSERT PUBLIC KEY HERE]
-----END PGP PUBLIC KEY BLOCK-----