{"id":2281454,"date":"2026-02-17T18:07:21","date_gmt":"2026-02-17T18:07:21","guid":{"rendered":"https:\/\/aivaulttech.com\/?page_id=2281454"},"modified":"2026-02-24T19:19:14","modified_gmt":"2026-02-24T19:19:14","slug":"bug-bounty-disclosure","status":"publish","type":"page","link":"https:\/\/aivaulttech.com\/sk\/bug-bounty-disclosure","title":{"rendered":"Zverejnenie odmien za chyby"},"content":{"rendered":"\n<h1 class=\"wp-block-heading\">BUG BOUNTY PROGRAM<\/h1>\n\n\n\n<p><strong>MiCA-Aligned | Delaware Corporate Governance Framework<\/strong><\/p>\n\n\n\n<p><strong>Effective Date:<\/strong>\u00a017 February 2026<br><strong>Last Updated:<\/strong>\u00a017 February 2026<\/p>\n\n\n\n<h1>Responsible Disclosure &#038; Bug Bounty Program<\/h1>\n\n<p>\nAI Vault Systems Inc. (\u201cAI Vault,\u201d \u201cCompany,\u201d \u201cwe,\u201d \u201cus,\u201d or \u201cour\u201d) is committed to maintaining strong cybersecurity controls,\noperational resilience, and integrity across its digital infrastructure and the Virdato (VIRD) utility token ecosystem.\n<\/p>\n\n<p>\nThis Responsible Disclosure Program establishes an authorized channel for coordinated vulnerability disclosure and defines\neligibility criteria for discretionary recognition and rewards.\n<\/p>\n\n<p>\nThis program is structured to align with:\n<\/p>\n\n<ul>\n<li>EU Digital Operational Resilience principles<\/li>\n<li>Markets in Crypto-Assets (MiCA) operational risk expectations<\/li>\n<li>GDPR data protection requirements<\/li>\n<li>U.S. cybersecurity best practices<\/li>\n<li>Delaware corporate governance standards<\/li>\n<\/ul>\n\n<hr>\n\n<h2>1. Purpose<\/h2>\n\n<p>\nThe purpose of this program is to:\n<\/p>\n\n<ul>\n<li>Encourage responsible security research<\/li>\n<li>Identify vulnerabilities before malicious exploitation<\/li>\n<li>Strengthen platform integrity and user trust<\/li>\n<li>Support operational resilience in a regulated digital asset environment<\/li>\n<\/ul>\n\n<hr>\n\n<h2>2. Scope<\/h2>\n\n<h3>A. Infrastructure<\/h3>\n<ul>\n<li>Production web applications<\/li>\n<li>Backend services and microservices<\/li>\n<li>Authentication &#038; identity systems<\/li>\n<li>Data processing pipelines<\/li>\n<li>Cloud hosting environments<\/li>\n<li>CI\/CD and deployment logic<\/li>\n<\/ul>\n\n<h3>B. APIs<\/h3>\n<ul>\n<li>Public and private API endpoints<\/li>\n<li>Access control logic<\/li>\n<li>Rate limiting controls<\/li>\n<li>Reward calculation engines<\/li>\n<li>Signature validation systems<\/li>\n<\/ul>\n\n<h3>C. Blockchain &#038; Token Systems<\/h3>\n<ul>\n<li>Virdato (VIRD) smart contracts<\/li>\n<li>Reward distribution logic<\/li>\n<li>Claim thresholds and vesting controls<\/li>\n<li>Gas efficiency logic (where exploitable)<\/li>\n<li>On-chain\/off-chain synchronization mechanisms<\/li>\n<\/ul>\n\n<h3>D. Integrations<\/h3>\n<ul>\n<li>Third-party wallet connectors<\/li>\n<li>Payment processors (where under Company control)<\/li>\n<li>Oracle integrations<\/li>\n<\/ul>\n\n<hr>\n\n<h2>3. Out of Scope<\/h2>\n\n<ul>\n<li>Denial-of-service attacks without demonstrated security bypass<\/li>\n<li>Social engineering attempts<\/li>\n<li>Physical security testing<\/li>\n<li>Economic speculation or token price manipulation<\/li>\n<li>Third-party services not under Company control<\/li>\n<li>Automated scans without validated exploitability<\/li>\n<li>Theoretical vulnerabilities requiring unrealistic threat models<\/li>\n<\/ul>\n\n<hr>\n\n<h2>4. Responsible Disclosure Requirements<\/h2>\n\n<p>\nTo qualify under this program, researchers must:\n<\/p>\n\n<ul>\n<li>Submit findings privately to: <strong>security@aivaultsystems.com<\/strong><\/li>\n<li>Provide clear reproduction steps<\/li>\n<li>Include proof-of-concept evidence<\/li>\n<li>Describe technical impact<\/li>\n<li>Estimate CVSS v3.1 score where possible<\/li>\n<li>Identify affected contracts, endpoints, or components<\/li>\n<\/ul>\n\n<p>\nResearchers must NOT:\n<\/p>\n\n<ul>\n<li>Exfiltrate user data<\/li>\n<li>Exploit vulnerabilities for financial gain<\/li>\n<li>Mint tokens or manipulate reward pools<\/li>\n<li>Disrupt services beyond minimal proof-of-concept<\/li>\n<li>Disclose findings publicly prior to coordinated remediation<\/li>\n<\/ul>\n\n<hr>\n\n<h2>5. Safe Harbor<\/h2>\n\n<p>\nIf you act in good faith and strictly within the scope of this policy:\n<\/p>\n\n<ul>\n<li>AI Vault will not pursue civil litigation<\/li>\n<li>The Company will not refer compliant research to law enforcement<\/li>\n<li>Security testing conducted under this program is considered authorized<\/li>\n<\/ul>\n\n<p>\nSafe harbor applies only to actions fully compliant with this policy.\n<\/p>\n\n<hr>\n\n<h2>6. Severity Classification Framework<\/h2>\n\n<p>\nVulnerabilities are assessed using a hybrid evaluation model incorporating:\n<\/p>\n\n<ul>\n<li>CVSS v3.1 scoring<\/li>\n<li>Smart contract risk exposure<\/li>\n<li>Token economic impact<\/li>\n<li>Data exposure magnitude<\/li>\n<li>Privilege escalation potential<\/li>\n<li>Regulatory and operational exposure<\/li>\n<\/ul>\n\n<h3>Severity Levels<\/h3>\n\n<strong>Critical (CVSS 9.0\u201310.0)<\/strong>\n<ul>\n<li>Unauthorized token minting<\/li>\n<li>Reward pool drain<\/li>\n<li>Admin key compromise<\/li>\n<li>Authentication bypass with systemic impact<\/li>\n<\/ul>\n\n<strong>High (CVSS 7.0\u20138.9)<\/strong>\n<ul>\n<li>Signature replay<\/li>\n<li>Privilege escalation<\/li>\n<li>Major reward logic bypass<\/li>\n<\/ul>\n\n<strong>Medium (CVSS 4.0\u20136.9)<\/strong>\n<ul>\n<li>Rate-limit bypass<\/li>\n<li>Limited data exposure<\/li>\n<li>Non-critical logic flaws<\/li>\n<\/ul>\n\n<strong>Low (0.1\u20133.9)<\/strong>\n<ul>\n<li>Configuration issues<\/li>\n<li>Cosmetic API disclosures<\/li>\n<\/ul>\n\n<hr>\n\n<h2>7. Bug Bounty Reward Structure (Discretionary)<\/h2>\n\n<p>\nAll rewards are discretionary and based on verified impact.\n<\/p>\n\n<table border=\"1\" cellpadding=\"8\" cellspacing=\"0\">\n<tr>\n<th>Severity<\/th>\n<th>Indicative Range (USD)<\/th>\n<\/tr>\n<tr>\n<td>Critical<\/td>\n<td>$5,000 \u2013 $25,000+<\/td>\n<\/tr>\n<tr>\n<td>High<\/td>\n<td>$1,000 \u2013 $5,000<\/td>\n<\/tr>\n<tr>\n<td>Medium<\/td>\n<td>$250 \u2013 $1,000<\/td>\n<\/tr>\n<tr>\n<td>Low<\/td>\n<td>Public acknowledgment<\/td>\n<\/tr>\n<\/table>\n\n<p>\nRewards may be issued in:\n<\/p>\n\n<ul>\n<li>USD (wire transfer)<\/li>\n<li>EUR (SEPA transfer)<\/li>\n<li>VIRD utility tokens (Company discretion)<\/li>\n<\/ul>\n\n<p>\nParticipation does not create employment, partnership, fiduciary, or contractual rights.\n<\/p>\n\n<hr>\n\n<h2>8. Incident Response Timeline<\/h2>\n\n<ul>\n<li>Acknowledgment: within 72 hours<\/li>\n<li>Initial triage: 3\u20137 business days<\/li>\n<li>Critical remediation: 7\u201321 days<\/li>\n<li>High remediation: 14\u201330 days<\/li>\n<li>Medium\/Low remediation: 30\u201360 days<\/li>\n<\/ul>\n\n<p>\nTimelines may accelerate where systemic or token integrity risk exists.\n<\/p>\n\n<hr>\n\n<h2>9. Confidentiality &#038; Coordinated Disclosure<\/h2>\n\n<p>\nReports are treated confidentially.\nPublic disclosure may occur only after remediation and coordinated agreement.\n<\/p>\n\n<hr>\n\n<h2>10. Regulatory Positioning<\/h2>\n\n<p>\nThis program supports proactive ICT risk mitigation consistent with EU digital operational resilience principles.\nNothing herein constitutes regulatory admission, crypto-asset service classification, or financial instrument status.\n<\/p>\n\n<hr>\n\n<h2>11. Delaware Corporate Notice<\/h2>\n\n<p>\nAI Vault Systems Inc. is incorporated in Delaware, United States.\nThis program does not create contractual, employment, or partnership relationships.\nAll disputes are governed by Delaware law unless mandatory EU protections apply.\n<\/p>\n\n<hr>\n\n<h2>12. Secure Reporting (PGP)<\/h2>\n\n<p>\nResearchers are encouraged to encrypt sensitive submissions.\n<\/p>\n\n<p>\nEmail: <strong>security@aivaultsystems.com<\/strong><br>\nKey Type: RSA 4096<br>\nFingerprint: [INSERT FINGERPRINT]<br>\n<\/p>\n\n<pre>\n-----BEGIN PGP PUBLIC KEY BLOCK-----\n[INSERT PUBLIC KEY HERE]\n-----END PGP PUBLIC KEY BLOCK-----\n<\/pre>\n\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>BUG BOUNTY PROGRAM MiCA-Aligned | Delaware Corporate Governance Framework Effective Date:\u00a017 February 2026Last Updated:\u00a017 February 2026 Responsible Disclosure &#038; Bug Bounty Program AI Vault Systems Inc. (\u201cAI Vault,\u201d \u201cCompany,\u201d \u201cwe,\u201d \u201cus,\u201d or \u201cour\u201d) is committed to maintaining strong cybersecurity controls, operational resilience, and integrity across its digital infrastructure and the Virdato (VIRD) utility token ecosystem. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-2281454","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/aivaulttech.com\/sk\/wp-json\/wp\/v2\/pages\/2281454","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aivaulttech.com\/sk\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/aivaulttech.com\/sk\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/aivaulttech.com\/sk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aivaulttech.com\/sk\/wp-json\/wp\/v2\/comments?post=2281454"}],"version-history":[{"count":5,"href":"https:\/\/aivaulttech.com\/sk\/wp-json\/wp\/v2\/pages\/2281454\/revisions"}],"predecessor-version":[{"id":2701453,"href":"https:\/\/aivaulttech.com\/sk\/wp-json\/wp\/v2\/pages\/2281454\/revisions\/2701453"}],"wp:attachment":[{"href":"https:\/\/aivaulttech.com\/sk\/wp-json\/wp\/v2\/media?parent=2281454"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}