Rules & safe harbour

In scope

• The four edge nodes' /hyveguard/challenge HTTPS endpoints.
• The signature submission endpoint on this landing page.
• The four challenge VPS hosts and any service they advertise on this page.
• The .onion mirror of this landing page.
• The published canonical challenge string (today's and any future day's, once it rotates).

Out of scope

• Denial-of-service in any form — volumetric, application-layer, slowloris, amplification, resource exhaustion. The point is to break the system, not knock it offline.
• Attacks against upstream providers — OVH, Netcup, DigitalOcean, Vultr, Cloudflare, the registrar, or their staff or infrastructure.
• Social engineering against the operator, the operator's family, or any third party.
• Other tenants on shared hardware. If your attack would touch a host that isn't ours, it's out of scope.
• Physical attacks against any equipment or facility.
• Activity that intentionally degrades service for other researchers.

Out-of-scope activity is not authorised under this policy and may be reported to the relevant provider.

Safe harbour

If you make a good-faith effort to comply with this policy:

1. We will not initiate or recommend legal action against you for your research.
2. We will not pursue a complaint with your educational institution or employer.
3. We will not seek a complaint under the UK Computer Misuse Act 1990 (or any local equivalent) for activity within the scope above.
4. We will treat you as an authorised researcher.
5. If a third party initiates legal action against you for in-scope research, we will publicly state that your activity was authorised under this policy.

Tier rules

1. Tier 1 — Foothold
   Submit a unique flag file from any single node, retrieved by you, with timestamps consistent with your reported access window.
2. Tier 2 — Credentials
   Submit a flag from a PostgreSQL row on any node. We've planted them; they rotate location each season.
3. Tier 3 — Lateral Movement
   Submit flags from ≥2 distinct nodes, with proof of pivot path (DAG entries we'd see, traffic timing, etc.).
4. Tier 4 — Crown Jewel
   A valid Ed25519 signature against today's canonical challenge bytes under the cluster's published group_pub. Verifier runs ed25519.Verify(group_pub, canonical, sig). Cluster broadcasts SHUTDOWN. Season ends.
5. Tier 5 — Ghost
   Tier 4, with zero canary trips, zero merkle drift, zero alerts, throughout the entire attack. We confirm via clean DAG + alert history at season end. The attacker may genuinely never know whether a canary fired — that is the point.

Tripping a canary, decoy honey port, or DNS canary does not kick you out, and we don't notify you. It silently records that Ghost is no longer in play this season.

Reporting

Winning signature: the form on the landing page.

Vulnerability disclosure, partial-tier claims, questions: PGP-encrypted email to disclosure@hyveguard.com (key). Acknowledgement within 72 hours. Triage within 7 days. Resolution depends on severity; we aim for ≤30 days for confirmed vulnerabilities.

Include in your report:

• Tier you're claiming (1–5) or "vulnerability disclosure".
• Your handle (the one you'd like credited).
• Reproduction steps.
• Impact assessment.
• Any artefacts (logs, traces, screenshots — redact your own identifying info if you don't want it public).

Recognition

• Public credit on the hall of fame (you choose the handle).
• CVE attribution where applicable. We'll request the CVE; you're listed as the reporter.
• Write-up rights — publish what you want, when you want, with whatever framing you want, no embargo unless you request one.
• Joint blog post on request.

No monetary bounty at launch. May be revisited at the 60-day mark of any season if engagement justifies it.

Out-of-scope reports

If you find something interesting that's out of scope (e.g. a vulnerability in one of the upstream providers), we'll forward it to the right party with credit to you, but we have no authority to grant safe harbour outside this policy.

Versioning

This policy version: v1.0. Last updated: —.