Skip to main content

Trust · Bug Mining Program

Find a real bug. Mine the block. Get paid in HCC.

A clinic gets paid HCC for the verified clinical work it performs. A validator gets paid HCC for the verified compute it provides. A security researcher gets paid HCC for the verified vulnerability work it takes to harden the network. The Bug Mining Program is the security-researcher track of the same HCC mining surface, governed by the same board, paid out of the same treasury logic, audited on the same chain.

Treasury

5,000,000 HCC. 3-of-5 multi-sig. 10,000 HCC critical cap.

Seed

5,000,000 HCC pre-funded

Wallet ch.treasury.bounty. Seed funded by board resolution 2026-05-15. Effective 2026-05-16. Treasury balance and every transfer auditable per-event in ch_transactions.

Signers

3-of-5 board multi-sig

CTO, CFO, Compliance, CEO, Chair. Critical and High payouts require 3-of-5 board signatures. Medium requires 2-of-3 officer signatures. Low requires CTO + Compliance (2/2). Informational requires the Security Lead (1/1).

Caps

10,000 HCC per critical finding

Payouts above 5,000 HCC require a special board resolution recorded on-chain. The cap is intentionally below the seed-divided-by-low-bound — we'd rather pay more researchers than fewer.

Payout tiers

Five severities. Each with examples that ship the program.

Severity Payout Examples
Critical 5,000 – 10,000 HCC RCE, auth bypass, PHI exfiltration, mass account takeover, chain consensus break, Master Equation disagreement with |Δ| > 5.0
High 2,500 – 5,000 HCC Privilege escalation, single-user account takeover, stored XSS in clinical surface, smart-contract logic bug with material economic impact
Medium 750 – 2,500 HCC CSRF on sensitive action, stored XSS in patient surface, broken access control to non-PHI data
Low 200 – 750 HCC Reflected XSS in low-impact context, mixed-content warnings on PHI page, weak rate-limit on non-sensitive endpoint
Informational 50 – 200 HCC Hardening recommendations, missing best-practice header, documentation gap with material impact

Master Equation track

A separate surface for "the math is wrong."

Disagreements with the Master Equation are a category of bug we treat seriously and grade by |Δ| — the absolute difference between the reference implementation's output and a hand-derived expected output. |Δ| > 5.0 is graded Critical (5,000–10,000 HCC). Submissions must include the input vector, the reference implementation's output, the hand-derived expected output, and the derivation. The reference implementation lives in the repo cited in the whitepaper.

Lifecycle

Seven states. Public timestamps at each step.

  1. Reported. Receipt within 24 hours. PGP-encrypted reports preferred (fingerprint below).
  2. Triaged. Severity assigned within 72 hours of receipt (Q2 2026 median: 41 hours).
  3. Verified. The team reproduces the finding and confirms scope and impact.
  4. Fix shipped. Patch lands, regression tests added, production deploy verified.
  5. Approved. Signers (3-of-5, 2-of-3, etc. depending on severity) approve the payout.
  6. Minted / transferred. HCC transfer recorded on-chain. KYC and OFAC clearance required.
  7. Disclosed. 90-day embargo from fix-shipped, or sooner if exploited in the wild. Disclosure includes the finding, the fix, and the researcher's chosen attribution.

Typical whole-loop timeline is under 30 days from fix-shipped to disclosure. Severity disputes are allowed once per finding; if escalated, an external reviewer adjudicates and the final grade is published on the program board.

KYC and OFAC

Required before any HCC transfers.

KYC. W-9 for U.S. researchers, W-8BEN or W-8BEN-E for non-U.S. researchers. KYC completed within 7 days of payout approval; transfer within 3 business days of KYC clearance.

OFAC. Every transfer is screened before mint. Sanctioned jurisdictions result in forfeit with a public board notation — no exceptions.

Tax. HCC paid is taxable compensation income at fair-market value on the transfer date. We file 1099-NEC for U.S. recipients above the §6041 threshold. Non-U.S. recipients are responsible for local tax treatment under their W-8BEN posture.

Authorization. Good-faith research within scope is authorized under 18 U.S.C. § 1030 and the relevant state computer-misuse statutes. We will not pursue civil or criminal action against in-scope research conducted in good faith. The same does not apply to social engineering of staff, physical access attempts, or research against systems explicitly out of scope.

Scope

In and out, explicitly.

In scope. conceptualhealth.com and its officially listed subdomains; api.conceptualhealth.com/v1/*; fhir.conceptualhealth.com; wss://stream.conceptualhealth.com/*; Guardian Orb iOS and Android consumer apps; the Master Equation reference implementation; the OpenAPI spec; the Conceptual Chain client; HCR and HCC contracts; the bounty treasury multi-sig wallet; SMART-on-FHIR endpoints; biometric MFA flow; the account-linking QR exchange.

Out of scope. Production denial-of-service attempts; accessing real PHI without explicit authorization (use the staging tenants); social engineering of staff; physical access to facilities; third-party SaaS we depend on (report to the vendor); internal staging environments; self-XSS where the user is the attacker; missing security headers without demonstrated impact.

Internal carve-out

Employees, contractors, board, advisors, investors.

People paid by Conceptual Health® or with a fiduciary relationship to it are excluded from the Bug Mining Program. That includes engineers, clinicians, contractors, the board, advisors, and investors. Internal finds go to the engineering-merit and clinical-merit compensation schedules instead — same on-chain audit, different mining surface. The exclusion exists so the program rewards adversarial discovery, not internal hygiene.

Submit a finding

PGP-encrypted preferred. Acknowledgement within 24 hours.

Email: security@conceptualhealth.com
PGP fingerprint: 4A2D 8F1E 9B7C 3D5A 6E2F · 8B1C 5D6A 7E8F 9012 3456
Public key: /pgp/security.asc

First-time researchers — read the scope, send the finding, expect a real response. We've never sent a researcher a form letter and we don't plan to start.