BUG BOUNTY

Responsible disclosure program · ZK circuit audit · Rewards paid in MKV and BTC

The Markovian Protocol is a new blockchain. Its security model depends on the correctness of three things: the proof-of-work consensus layer, the ZK proof system that verifies state transitions, and the archive that makes regime history permanent and tamper-evident. Bugs in any of these undermine the integrity of the chain.

We pay for real vulnerabilities. Scope is narrow. Response time is fast.

REWARD TIERS

CRITICAL

1,000+

MKV + up to 0.1 BTC

Forge a valid ZK proof for false state
Rewrite chain history undetected
Break BFT consensus guarantees
Steal funds from any wallet

HIGH

250–1,000

MKV + up to 0.025 BTC

Soundness flaw in ZK sigma proof
Double-spend on the MKV chain
Merkle root collision or second preimage
API key bypass or privilege escalation

MEDIUM

50–250

MKV

Denial of service on a node
Information disclosure via API
Designer scoring manipulation
Archive integrity gaps

ZK CIRCUIT AUDIT SCOPE

THREE PROOF LAYERS — ALL IN SCOPE

M Provenance Proof BN128 Pedersen commitment + Schnorr sigma proof on the transition matrix M published by governance. Verifies that M was committed before block evaluation. File: zk_m_provenance.py. Verify: api.quantsynth.net/verify/{root}
Signal Input Commitment ZK commitment to the input price vector used in each synthesis run, produced before outputs are known. Wired into the 6-pass synthesis pipeline. File: zk_input_provenance.py. Prevents cherry-picking inputs after the fact.
Miner Credibility Predictions ZK commitment to each designer's predicted regime before block confirmation. Enables fair on-chain scoring without revealing predictions early. File: miner_predictions.py. Endpoint: /predict

IN SCOPE / OUT OF SCOPE

COMPONENT	STATUS NOTES
ZK proof system (all 3 layers)	IN SCOPE Soundness, completeness, forgery
Consensus / PoW layer	IN SCOPE Block validation, chain reorg, 51% analysis
Merkle root construction	IN SCOPE Collision resistance, second preimage
MKV ledger / Kov issuance	IN SCOPE Double-spend, issuance overflow
API authentication layer	IN SCOPE Key bypass, privilege escalation
Designer scoring system	IN SCOPE Score manipulation, prediction replay
Archive integrity	IN SCOPE Historical data tampering, gap injection
XMR payout system	OUT OF SCOPE Not live yet
Third-party deps (hmmlearn, py_ecc)	OUT OF SCOPE Report upstream, tag us
Social engineering / phishing	OUT OF SCOPE
Rate limit bypass / scraping	OUT OF SCOPE Low impact

DISCLOSURE PROCESS

1.

Report privately.
Email [email protected] with a description of the vulnerability, reproduction steps, and your assessment of impact. Do not post publicly until we respond.
2.

We acknowledge within 48 hours.
You will receive confirmation that we received your report. We will triage severity and assign a reward tier within 5 business days.
3.

We fix and verify.
We patch the vulnerability and send you the fix for review. You confirm the fix is complete before we publish the disclosure.
4.

Reward paid on-chain.
MKV rewards are paid directly to your wallet address. BTC rewards via on-chain transaction. Payment within 7 days of fix confirmation.
5.

Public disclosure.
With your permission, we publish a post-mortem detailing the bug and the fix. Your name or handle appears as the finder unless you prefer anonymity.

SUBMIT A REPORT

VULNERABILITY REPORT

YOUR EMAIL OR CONTACT

SEVERITY

AFFECTED COMPONENT

DESCRIPTION & REPRODUCTION STEPS

YOUR MKV WALLET (FOR REWARD)

Or email directly: [email protected]

We do not pursue legal action against good-faith security researchers who follow this policy. We ask that you do not exploit vulnerabilities beyond what is necessary to demonstrate them, and that you do not access or exfiltrate data that is not yours.