The public record of resolved security issues, incidents, and post-mortems for Quantova, the post-quantum Layer 1 for institutional settlement.
This repository is where Quantova publishes — after coordinated disclosure is complete and a fix is live — security advisories, incident reports, and post-mortems. It exists so the community, integrators, validators, and researchers can see what happened, how it was fixed, and what changed as a result. Transparency after the fact is part of running serious infrastructure.
Do you have a vulnerability to report? This is not the place to report it. Reporting one here, in an issue, or in a pull request puts users at risk. Use the official private channels in Reporting a vulnerability below.
| This repository is | This repository is not |
|---|---|
| Published security advisories for fixed issues | A place to report vulnerabilities |
| Incident reports for events affecting the network or users | A live status page |
| Post-mortems with root cause and follow-up actions | A discussion forum or support channel |
| A permanent, citable public archive | A bug bounty submission portal |
Reporting and triage happen privately; publication happens here once users are protected. The
security policy and the coordinated disclosure process live in the
security-documentation-repository.
Report privately through an official channel — never in this repository:
| Channel | Link |
|---|---|
| Quantova bug bounty (submissions) | https://quantova.org/bug-bounty/ |
| HackenProof program | https://hackenproof.com/programs |
| Encrypted email | security@quantova.org (PGP) |
Quantova practices coordinated disclosure: report privately, allow time to remediate, then the issue is published here.
| Path | What it holds |
|---|---|
advisories/ |
Security advisories for resolved vulnerabilities (QSA-YYYY-NNN). |
incidents/ |
Incident reports for events affecting the network or users (QIR-YYYY-NNN). |
post-mortems/ |
Deeper root-cause analyses and lessons learned. |
templates/ |
The templates used to author advisories, incidents, and post-mortems. |
SEVERITY.md |
How severity is rated (CVSS-style) and what each level means. |
CONTRIBUTING.md |
How disclosures are authored and published (maintainers). |
Every published item follows a consistent format:
- Identifier —
QSA-YYYY-NNN(advisory),QIR-YYYY-NNN(incident), orQPM-YYYY-NNN(post-mortem). - Severity — Critical / High / Medium / Low, per SEVERITY.md.
- Status — Resolved (advisories are only published once fixed).
- Affected components, impact, root cause, resolution, timeline, and credit.
Browse the indexes:
| Prefix | Meaning | Example |
|---|---|---|
QSA |
Quantova Security Advisory (a fixed vulnerability) | QSA-2026-001 |
QIR |
Quantova Incident Report (an operational event) | QIR-2026-001 |
QPM |
Quantova Post-Mortem (root-cause analysis) | QPM-2026-001 |
Numbers are assigned sequentially per year.
Quantova is on testnet ahead of mainnet. No security advisories or incidents have been published yet. This repository is established now so the process and format are in place before mainnet, and so testnet findings that warrant public disclosure have a home.
- Website: https://quantova.org
- Bug bounty (submissions): https://quantova.org/bug-bounty/
- HackenProof programs: https://hackenproof.com/programs
- Security policy & disclosure: the
security-documentation-repository - Developer documentation: https://quantova.org/static/pdfjs/web/viewer.html?file=/static/pdf/Gitbook-Quantova-Developer-Documentation.pdf#nameddest=cover&page=1&pagemode=bookmarks
© 2026 Quantova Inc. See LICENSE.md. Published disclosures are factual records; nothing here constitutes legal advice.