Security Trust Center

Security is not a feature. It is the prerequisite. QNTM is built by a security engineer with continuous red team testing from day zero. We publish everything we find. We invite you to find what we missed.

Current Security Posture

Updated 2026-04-10
0
critical open
0
high open
0
medium open
0
low open

Phase: pre-mainnet testnet

Red team running continuously against testnet. External audit funded from seed raise and required before mainnet launch. No mainnet without external audit. No exceptions.

Methodology

The operator has a professional security engineering background. Self-certification is conducted against documented methodology. Every finding is logged, classified, and traced to the commit that introduced it and the commit that fixed it.

Red team attacks run continuously against testnet infrastructure on isolated hardware. Attack categories: network layer (eclipse, Sybil, DoS), consensus layer (equivocation, long-range), PQC implementation (timing attacks on Dilithium and Falcon), EVM layer (Slither static analysis, Echidna fuzzing, custom PQC checks), and wallet security.

We follow NIST SP 800-218 (Secure Software Development Framework) from day zero. All builds are reproducible. SBOM generated on every release. All dependencies pinned and checksum-verified.

NIST SP 800-218

Secure Software Development Framework

NIST FIPS 203/204/205/206

PQC algorithm compliance

NSA CNSA 2.0

Algorithm alignment

Bug Bounty

Bug bounty via Immunefi is active from mainnet launch. Pre-mainnet findings are acknowledged, credited, and fixed. Severity classification follows the same framework as our internal red team.

Scope

  • Core protocol node
  • PQC implementation
  • Consensus mechanism
  • EVM runtime integration
  • Wallet SDK

Out of Scope

  • Social engineering
  • Third-party services
  • Spam or DoS without protocol impact
  • Theoretical attacks without PoC

Responsible Disclosure

Report to security@qntmchain.ai. 90-day disclosure policy. We fix first, publish after patch is live. Never publish exploit code.

Findings Log

Full findings log is maintained in the open-source repository at docs/security/findings-log.md. Every finding includes: date, severity, component, status, and the commits that introduced and resolved it.

View findings log on GitHub