# Conceptual Health™ — Master Equation Bug Bounty

We pay independent researchers who find disagreements between the
**documented** Master Equation and any of our **live** surfaces (iOS
app, web portal, clinic console, public API, marketing site).

## Scope

In scope:

- Any computation labelled "Conceptual Health™ score", "CH", or
  "Master Equation" that produces a value diverging from
  `master-equation/calculator.py` by more than 0.05 for the same axis
  vector.
- Any sub-signal aggregator output that diverges from the rule
  declared in `master-equation/sub-signals.yaml` (polarity, range,
  weight).
- Any action whose persisted signal events diverge from the contract
  in `master-equation/action-axis-map.yaml`.

Out of scope:

- Cosmetic discrepancies (rounding to 1 decimal vs 2, label text).
- Bugs in third-party validators that have not run our reference
  `validators/run_validator.py`.

## Reward tiers

| Severity | Definition | Reward |
|---|---|---|
| Critical | Any production surface returns a CH that diverges by ≥ 1.0 from the canonical Python implementation for an input matching a golden vector. | $5,000 |
| High     | Same as above with divergence ≥ 0.1 but < 1.0. | $1,500 |
| Medium   | An action persists a signal event the action-axis-map does not declare, or persists nothing when it should. | $500 |
| Low      | A sub-signal scoring rule is implemented with the wrong polarity or range. | $250 |

## Disclosure

Email **security@conceptualhealth.com** with:

1. A minimal reproducer that uses **only** our public API or web pages.
2. The expected output (from `calculator.py` or the YAML).
3. The actual output (with timestamp + URL).

We acknowledge within 3 business days, fix within the SLA tier above,
and credit the researcher in the public validator registry unless
they request anonymity.

## Safe harbor

Acting in good faith under this policy will not result in legal
action against the researcher.  Do not test against production
patient data; use the public endpoints and the published vectors.