Security & disclosure

We pay for receipts. Including the ones that prove us wrong.

Peptide MD runs a five-tier coordinated disclosure program. Cryptographic bugs, biosecurity escapes, web-app vulnerabilities, scientific-claim reproductions that cannot be reproduced, and public re-implementations of the verifier - all in scope. Every paid finding is published, anonymized at the reporter's discretion, on /changelog.

Disclosure address
security@peptidemd.io
PGP key on .well-known/pgp-key.txt
Acknowledgement
within 48 hours
Triage decision within 5 business days
Public posture
/.well-known/security.txt
Coordinated disclosure window: 90 days

Bounty tiers

01

Verifier cryptography

$2,500 – $25,000 USD
Scope

@peptide-md/verifier and the OEA-V1 / PDA-V1 surface it implements

Example findings
  • ·Hash collision in canonical-JSON dialect
  • ·Merkle path that admits a forged participant inclusion proof
  • ·Pre-registration replay that yields a different oea_hash for the same logical commit
  • ·Audience-posture bypass (patient sees clinician-only fields)
02

BioGate biosecurity

$5,000 – $50,000 USD
Scope

Public-tier screen and the eventual private-tier rules under the Council seat

Example findings
  • ·Sequence that should trip RED but is reported GREEN
  • ·Profile-HMM circumvention via known-equivalent residue substitutions
  • ·Adversarial input that crashes the screen rather than refusing
03

Reproduction of an indexed claim

$500 – $5,000 USD
Scope

Any peptide page, protocol page, cohort page, or LOO posterior

Example findings
  • ·Citation graded A or B that does not support the cited claim on inspection
  • ·Cohort posterior that cannot be reproduced from the OEA reveal
  • ·RWE summary whose CI95 does not match a recomputation from the source data
  • ·Jurisdiction gate marked allowed where the latest regulatory text says it is not
04

Standard web app

$200 – $10,000 USD
Scope

Authentication, payments, dashboard, API routes, /api/dossier signing

Example findings
  • ·Authentication bypass / privilege escalation
  • ·PDF dossier export with audience-posture leak
  • ·SSRF, SQLi, XSS, IDOR on any /api route
  • ·Privacy regression (PII in logs, in PDFs, in URLs)
05

Reproduction grants (open call)

$1,500 grant per accepted re-implementation
Scope

Independent re-implementations of the verifier in any language

Example findings
  • ·Go, Rust, Swift, Elixir, Python implementations that produce all three frozen vectors
  • ·Independent canonical-JSON parser whose output bytes match
  • ·Public report of any divergence

Out of scope

  • · Vulnerability reports based purely on automated scanner output
  • · DoS / volumetric attacks against any infrastructure
  • · Social-engineering of staff, contractors, or council members
  • · Phishing campaigns against users
  • · Self-XSS without a clear cross-user vector
  • · Missing security headers without a demonstrated impact
  • · Outdated software without a demonstrated exploit
  • · Findings on third-party services (RCSB, npm, PubMed)

Safe harbor

Good-faith research conducted in accordance with this policy is not authorized as unauthorized access. We will not pursue civil or criminal action against you for actions that comply with this policy, and we will work with you to publish your finding under a coordinated disclosure timeline you agree to. If a third party brings legal action against you for activity within the policy, we will make it known the activity was authorized.

Do not access or modify another user's data. Do not exfiltrate more data than is necessary to demonstrate the finding. Do not test a finding against production after the first reproduction is documented.