Bug Bounty Program
Coordinated disclosure rewards for good-faith security research, with Safe Harbor.
1. Overview
Perpetua Labs LLC operates the Cryptograph bug bounty program. We pay $100–$5,000 USD for valid security findings against the Cryptograph wallet on watchOS, the companion iPhone app, our recovery formats, and our backend infrastructure.
Send reports to security@cryptograph.watch. We acknowledge within 3 business days and provide initial triage within 7 business days. Good-faith research conducted under the rules below is authorized under our Safe Harbor commitment.
Bootstrap-tier program. We are in the early phase of Cryptograph's installed base. Rewards reflect that. As we grow, we expect to expand the program to higher tiers and an external platform such as Immunefi or HackerOne. Researchers who report critical bugs at this stage build durable goodwill with the program.
2. Scope
In scope
- The Cryptograph watchOS app (signing, key storage, on-device authorization).
- The Cryptograph iPhone app (display, network proxy, recovery flows).
- On-device data storage and Secure Enclave usage.
- The iPhone↔watch communication protocol (WCSession messages, application context, transferred files).
- Recovery formats: encrypted Recovery Sheet QR; Photo Backup steganography.
- Our public WalletCore fork (perpetua-engineering/wallet-core) and zcash-signer integration. Note that this program only covers our modifications; bugs found in upstream WalletCore are subject to Trust Wallet's bounty program, not Cryptograph's.
- Cryptograph-operated backend services used by the apps for public chain/address data, price, and metadata aggregation.
- The contract registry / known-exploits list distribution.
Out of scope
- Apple's iOS, watchOS, or Secure Enclave themselves — report to Apple's security program; their bounty covers these.
- Third-party RPC providers, price feeds, and other upstream data providers we proxy.
- Bugs in users' own private keys, OPSEC, or device hygiene.
- Social-engineering attacks against Perpetua Labs employees or service providers.
- Physical attacks on user devices.
- Denial-of-service against production infrastructure.
Excluded from rewards
The following are still in scope to receive and triage with acknowledgement, but are not eligible for monetary payout:
- Pure denial-of-service findings affecting availability without compromising confidentiality, integrity, or fund safety. Specifically: a malicious peer app on the iPhone exhausting WCSession bandwidth, app-foreground spam, or comparable resource-exhaustion attacks where keys remain secured and signed transactions remain verifiable. Key extraction or transaction tampering originating from a peer app remains in scope — that is our actual threat model.
- Theoretical vulnerabilities without a working proof-of-concept against the published version.
- Findings against Apple's iOS, watchOS, or Secure Enclave platforms (report directly to Apple's security program; their bounty covers these).
- Findings already publicly disclosed before submission to us.
- Social-engineering attacks against Perpetua Labs employees or service providers (these are HR / opsec issues, not wallet vulnerabilities).
- Self-XSS, clickjacking on non-sensitive pages, or other findings without a meaningful exploit path.
3. Severity classification
Severity is classified per CVSS 4.0, with the wallet-specific examples below as guidance. Final classification is at Perpetua Labs's discretion in discussion with the researcher; we will provide written reasoning if our classification differs from the researcher's submission. We err toward the higher tier on genuine ambiguity.
4. Rewards
| Tier | Amount (USD) | Definition and examples |
|---|---|---|
| Critical | $5,000 |
Fund-loss / private-key extraction / mass exploitation across users.
Examples: private-key extraction from Secure Enclave; arbitrary unauthorized signing; transaction substitution post-confirmation; Recovery Sheet decryption without password; mass user-fund loss path. |
| High | $1,000 |
Significant security degradation; partial fund loss; account compromise without full key access.
Examples: Photo Backup decryption without password; iPhone↔watch protocol downgrade allowing tx tampering; partial key disclosure (≤16 bytes of mnemonic entropy); verified-contract registry signature bypass. |
| Medium | $250 |
Meaningful security degradation requiring user interaction or specific conditions.
Examples: address-display spoofing on the watch; recovery-format collision under attacker control; nonce manipulation requiring user co-operation; backend cache poisoning that changes non-critical metadata shown in the app. |
| Low | $100 |
Minor security issues; social-engineering enablers; non-sensitive info leaks.
Examples: timing side-channels with no exploitable impact; UI confusion not leading to fund loss; rate-limit bypass on public backend endpoints; metadata leaks (no PII). |
Program terms
- Annual aggregate cap: $20,000 USD across all paid bounties per calendar year. Reports submitted after the cap is hit are eligible for acknowledgement and may be queued for the following year's budget at our discretion.
- Per-researcher annual cap: $5,000 USD across all reports from a single researcher (or coordinated group) per calendar year.
- Quality bonus of up to +50% on the published amount for reports that include a working PoC, novel technique, or defense-in-depth analysis. PoC is the floor for any monetary payout (see Submission rules).
- Currency: USD, paid via wire transfer or KYC-linked stablecoin (USDC/USDT to centralized-exchange-attributable addresses only). No privacy coins; no addresses identified as having been mixed.
- Forward-looking: we expect to expand the program to higher tiers and an external platform (Immunefi or HackerOne) as our installed base grows.
5. Submission rules
- First-report-wins. Only the first valid report of a unique vulnerability is eligible for payout. Subsequent duplicate submissions receive acknowledgement only.
- Working PoC required for payout. Reports without a working proof-of-concept against the currently-published app version are eligible for acknowledgement but not for monetary reward. The PoC must be reproducible by our triage panel from the report alone.
- Per-researcher annual cap: $5,000 USD. See the rewards section. This prevents single-actor extraction even on legitimate findings.
- Time-bounded submissions. Reports must be submitted within 90 days of the researcher's discovery. Stockpiled findings older than 90 days are eligible for acknowledgement but not for monetary reward.
- Single-finding-per-report. Each report describes one vulnerability with one PoC. Bundled mega-reports will be returned with a request to resubmit as separate reports.
- Anti-collusion. Reports identified as coordinated (same PoC, same TTPs, sock-puppet patterns) will be treated as a single submission for payout purposes.
6. Triage and disclosure timeline
- Acknowledge within 3 business days of receipt.
- Initial triage within 7 business days — confirm in-scope, request clarification if needed, assign preliminary severity.
- Status update at 30 days minimum for reports still under active investigation.
- Coordinated disclosure window: 90 days from initial acknowledgement (industry standard). Extensions available by mutual agreement when fix complexity warrants.
- Researcher may publish after the 90-day window expires. We will not retaliate against good-faith disclosure that follows this timeline.
7. Sanctions and KYC
Perpetua Labs LLC is a US-domiciled company subject to US sanctions law. To remain in compliance with the Office of Foreign Assets Control (OFAC) and applicable US tax law, we apply the following payout requirements:
- KYC required for all monetary payouts, regardless of amount. Researchers receiving payment must provide identifying information sufficient for sanctions screening (full legal name, country of residence, government-issued ID for amounts ≥$600 per US tax-reporting rules). W-9 (US persons) or W-8BEN (non-US persons) tax forms required.
- OFAC sanctions screening on every payout. Payouts are screened against the Specially Designated Nationals (SDN) list and applicable jurisdictional sanctions before disbursement.
- Sanctioned jurisdictions ineligible for monetary reward. Reports from researchers identifiable as residing in or operating from OFAC-sanctioned jurisdictions (currently: DPRK, Iran, Cuba, Syria, Russia, Belarus, the Crimea / Luhansk / Donetsk regions of Ukraine) are eligible for acknowledgement and CVE coordination but not for monetary reward. This is a legal constraint, not a position on the merit of the research.
- Payment channels. Wire transfer or KYC-linked stablecoin (USDC/USDT) to centralized-exchange-attributable addresses only. No privacy coins (Zcash, Monero); no addresses identified as having been routed through mixers.
8. Safe Harbor
Perpetua Labs LLC (the “Company”) commits to the following Safe Harbor for security researchers who comply with this policy. This language is adopted from the disclose.io core terms (MIT-licensed; pulled 2026-05-03).
Authorization
If you make a good-faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and Perpetua Labs LLC will not recommend or pursue legal action related to your research.
Anti-litigation pledge
To the extent that your security research activities are inconsistent with certain restrictions in our applicable Terms of Service, we waive those restrictions for the limited purpose of permitting security research under this policy. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
ToS waiver
Activities conducted in a manner consistent with this policy are not considered to violate our Terms of Use, our Privacy Policy, the App Store and Apple Developer terms, the US Computer Fraud and Abuse Act (CFAA), the DMCA §1201 anti-circumvention provisions, or analogous computer-misuse laws in other jurisdictions, to the extent of our ability to commit on your behalf.
Good-faith standard
We define “good-faith security research” consistent with the disclose.io Good Faith Security Research standard. In summary, you act in good faith if you:
- Use only the minimum access necessary to demonstrate the vulnerability.
- Avoid privacy violations, destruction of data, and interruption or degradation of our services. Do not exfiltrate any data beyond a minimal proof-of-concept.
- Use only test accounts you own or have explicit permission from the account-holder to test against.
- Do not use social engineering, phishing, or physical attacks against Perpetua Labs employees or infrastructure.
- Disclose the vulnerability privately to security@cryptograph.watch and provide us a reasonable time to respond before any public disclosure (see Triage and disclosure timeline).
- Do not exploit the vulnerability for any reason beyond verifying its existence.
Source: disclose.io core terms, MIT-licensed. Pulled 2026-05-03 from github.com/disclose/diodb. Adapted with Perpetua Labs LLC named as the committing entity and Cryptograph as the named product. Pending legal counsel review (within 14 days of publication); material edits, if any, will be made in place.
9. How to report
Where to send
- Email: security@cryptograph.watch
- PGP: encrypt sensitive reports with our published key at
/.well-known/security-pgp.asc. Fingerprint:EC3F C7B8 51A5 D177 E1CE 0145 2DD2 2ADA 6389 A1E9.
What to include
- A clear description of the vulnerability.
- Step-by-step reproduction steps.
- A working proof-of-concept (required for monetary payout).
- The affected app version (Settings → About on either the phone or watch).
- Your impact assessment.
- A suggested CVSS 4.0 vector. We classify independently but anchor against your assessment.
What NOT to include
- Real user data of accounts that are not yours.
- Credentials of accounts that are not yours.
- Payment instructions for a wallet of yours — we handle payout setup separately, after KYC and OFAC screening (see Sanctions and KYC).
Have a finding? Email security@cryptograph.watch. For architecture context, see the Technical Security Overview.
This policy was published 2026-05-03. Lawyer review is scheduled as a follow-up within 14 days; material edits will be made in place.