$2,000,000 Qstrike26 Challenge

1. Program Overview

Qryptonic, LLC ("Qryptonic") offers the $2,000,000 Quantum Penetration Challenge (the "Challenge") to qualified organizations seeking independent validation of their cryptographic security posture. The Challenge is conducted through Qryptonic's Qstrike26 quantum penetration testing platform, which executes actual cryptographic attacks across multiple quantum computing environments including IBM Quantum, AWS Braket, Azure Quantum, Google Quantum AI, and IonQ.

If Qryptonic fails to identify any High or Critical severity cryptographic vulnerabilities during a qualifying engagement, Qryptonic will pay the participating organization Two Million Dollars ($2,000,000 USD), subject to the terms and conditions herein.

Annual Program Cap: The maximum aggregate payout under this Challenge is Four Million Dollars ($4,000,000 USD) per calendar year. If the annual cap is reached, Qryptonic will suspend new Challenge enrollments until the following calendar year. Organizations with signed SOWs prior to cap notification will be honored.

2. Eligibility Requirements

To participate in the Challenge, an organization must meet all of the following criteria:

(a) Be a legally registered business entity, government agency, or nonprofit organization.

(b) Maintain production systems that process, store, or transmit encrypted data with a minimum data retention requirement of five (5) years or longer.

(c) Have implemented or be actively implementing post-quantum cryptography (PQC) solutions across at least one production environment.

(d) Execute a full Qstrike26 Enterprise engagement at published rates, with no discounts, credits, or promotional pricing applied.

(e) Provide Qryptonic with authorized access to all cryptographic infrastructure within the defined scope, including but not limited to: key management systems, certificate authorities, encryption endpoints, HSMs, and related configuration data.

(f) Sign a Master Services Agreement (MSA), Statement of Work (SOW), and this Challenge Addendum prior to engagement commencement.

Qryptonic reserves the right to decline participation to any organization that does not meet these requirements or whose infrastructure falls outside the scope of Qstrike26's testing capabilities.

3. Engagement Scope

The Challenge applies exclusively to the cryptographic infrastructure explicitly defined in the signed Statement of Work. The engagement scope must include a minimum of one (1) of the following categories:

(a) Public Key Infrastructure (PKI) and certificate management systems

(b) Key management and key exchange protocols

(c) Data-at-rest encryption implementations

(d) Data-in-transit encryption (TLS/SSL configurations, VPN tunnels, API security)

(e) Hardware Security Modules (HSMs) and cryptographic accelerators

Systems, applications, or infrastructure components not explicitly documented in the SOW are excluded from Challenge eligibility. Qryptonic's identification of vulnerabilities in out-of-scope systems does not qualify for Challenge evaluation.

4. Engagement Timeline and Environment Lock

Maximum Duration: Challenge engagements must be completed within forty-five (45) calendar days from the commencement of active testing. Extensions require mutual written agreement and may result in additional fees. Engagements exceeding ninety (90) calendar days for any reason are automatically disqualified from Challenge eligibility.

Environment Baseline Lock: Upon commencement of active testing, Qryptonic will document the baseline configuration state of all in-scope systems. The participating organization agrees not to implement patches, updates, configuration changes, key rotations, or other modifications to in-scope cryptographic infrastructure during the active testing period without prior written approval from Qryptonic. Unauthorized modifications discovered during testing will result in immediate disqualification from Challenge eligibility.

Emergency Exceptions: If the organization must implement an emergency security patch to address an actively exploited vulnerability unrelated to the engagement, the organization must notify Qryptonic in writing within four (4) hours. Qryptonic will document the change and determine in its sole discretion whether Challenge eligibility is affected.

5. Vulnerability Classification

Vulnerabilities identified during the engagement will be classified using the Common Vulnerability Scoring System (CVSS) version 3.1 or later. For purposes of this Challenge:

(a) Critical Severity: CVSS Base Score of 9.0 to 10.0

(b) High Severity: CVSS Base Score of 7.0 to 8.9

The Challenge award is forfeited if Qryptonic identifies one or more High or Critical severity vulnerabilities within the defined scope. Medium, Low, and Informational findings do not affect Challenge eligibility.

Qualifying vulnerability categories include but are not limited to: use of deprecated or weak cryptographic algorithms in production, improper key generation or insufficient key entropy, exposed or inadequately protected cryptographic keys, misconfigured certificate chains or expired certificates in active use, broken or bypassed cryptographic controls, ephemeral key leakage enabling practical cryptanalysis, and configuration states that materially reduce cryptographic strength below acceptable thresholds.

6. Award Conditions

To qualify for the $2,000,000 award, all of the following conditions must be satisfied:

(a) The organization met all eligibility requirements at the time of engagement.

(b) The engagement was completed in full accordance with the signed SOW within the maximum duration.

(c) Qryptonic was provided complete and accurate access to all in-scope systems as defined.

(d) The organization did not withhold, obscure, or misrepresent any information material to the assessment.

(e) The organization maintained environment lock requirements throughout the testing period.

(f) Qryptonic's final deliverable confirms zero (0) High or Critical severity findings within the defined scope.

(g) The organization has paid all invoiced amounts in full prior to award disbursement.

(h) The annual program cap has not been exhausted at the time of final report delivery.

Upon satisfaction of all conditions, Qryptonic will issue payment within sixty (60) business days of final report acceptance. Payment will be made via wire transfer to an account designated by the participating organization. International recipients are solely responsible for any applicable taxes, duties, or withholding requirements in their jurisdiction.

7. Exclusions

The following circumstances disqualify an organization from Challenge eligibility or award:

(a) Engagements conducted under pilot, proof-of-concept, or discounted pricing arrangements.

(b) Organizations that restrict testing to non-production, sandbox, or demonstration environments only.

(c) Engagements where the organization limits access to specific systems, keys, or configurations within the agreed scope after signing.

(d) Organizations that have undergone a prior Qstrike26 engagement within the preceding twelve (12) months.

(e) Any organization that is a direct competitor of Qryptonic or is affiliated with a competing quantum security vendor.

(f) Organizations under active litigation with Qryptonic or any of its affiliates.

(g) Engagements where the organization's conduct, interference, or lack of cooperation materially impaired Qryptonic's ability to perform comprehensive testing.

8. Engagement Withdrawal

Qryptonic reserves the right to withdraw from Challenge eligibility during the discovery or reconnaissance phase of an engagement under the following circumstances:

(a) The organization's cryptographic infrastructure was designed, implemented, or is actively managed by a government agency, military unit, or intelligence service of any nation.

(b) The engagement scope materially differs from representations made during pre-engagement discussions, including undisclosed complexity, classified components, or restricted-access systems.

(c) Qryptonic determines that complete testing would require security clearances, foreign government approvals, or access permissions not obtainable within the engagement timeline.

(d) Information obtained during discovery reveals a material conflict of interest, including but not limited to relationships with competing vendors or ongoing legal matters.

Upon withdrawal from Challenge eligibility, the engagement will continue as a standard Qstrike26 assessment at the contracted rate. The organization will receive the full deliverables and remediation roadmap but will not be eligible for the $2,000,000 award. Fees paid are non-refundable. Qryptonic will provide written notice of withdrawal with stated rationale within five (5) business days of the determination.

This withdrawal right expires upon commencement of active penetration testing. Once quantum attack simulations begin, Qryptonic is bound by the Challenge terms for that engagement.

9. Force Majeure and Platform Availability

Qryptonic's testing methodology requires access to third-party quantum computing platforms operated by IBM, Amazon Web Services, Microsoft, Google, IonQ, and other providers. In the event that one or more quantum computing platforms become unavailable due to outages, maintenance, capacity constraints, service discontinuation, or other circumstances beyond Qryptonic's reasonable control, Qryptonic may pause the engagement until access is restored.

If platform unavailability exceeds fourteen (14) consecutive calendar days, either party may elect to conclude the engagement based on testing completed to date. In such cases, Challenge eligibility will be determined based on the scope tested. No additional award or compensation is owed for untested scope due to platform unavailability. Qryptonic is not liable for delays, incomplete testing, or any damages arising from third-party platform availability issues.

10. Dispute Resolution

In the event of a dispute regarding vulnerability classification or Challenge eligibility, the following process applies:

(a) Internal Review: The organization may submit a written dispute within fourteen (14) calendar days of receiving the final report. Qryptonic's technical review board will evaluate the dispute and provide a written response within twenty-one (21) calendar days.

(b) Independent Arbitration: If the dispute remains unresolved, either party may request binding arbitration administered by JAMS under its Comprehensive Arbitration Rules. The arbitration will be conducted in Miami-Dade County, Florida. The arbitrator's decision regarding CVSS scoring and vulnerability validity shall be final. Each party bears its own costs, with arbitration fees split equally.

Disputes not raised within the fourteen (14) day window are deemed waived.

11. Confidentiality and Publicity

All engagement activities, findings, and deliverables are subject to the confidentiality provisions of the executed MSA. Qryptonic will not disclose the identity of Challenge participants or specific findings without written consent.

Aggregate Statistics: Qryptonic reserves the right to publish aggregate, anonymized statistics regarding Challenge outcomes (e.g., total engagements, total findings, payout status) for marketing and research purposes without identifying individual participants.

Non-Disparagement: The participating organization agrees not to make public statements, social media posts, press releases, or other communications that disparage Qryptonic, its methodology, its personnel, or Challenge outcomes. This provision survives termination of the engagement. Breach of this provision constitutes grounds for immediate disqualification and forfeiture of any pending award.

12. Indemnification

The participating organization agrees to indemnify, defend, and hold harmless Qryptonic, its officers, directors, employees, agents, and affiliates from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from or related to:

(a) The organization's authorization of testing activities on systems it does not own or have authority to test.

(b) Any production incidents, data loss, or service disruptions resulting from the organization's failure to properly isolate or protect systems outside the defined scope.

(c) Third-party claims arising from the organization's misrepresentation of Challenge results or unauthorized use of Qryptonic's name or trademarks.

(d) Breach of the non-disparagement or confidentiality provisions herein.

13. Limitation of Liability

Qryptonic's total liability under this Challenge is limited to the $2,000,000 award amount per qualifying engagement. In no event shall Qryptonic be liable for indirect, incidental, consequential, special, or punitive damages arising from participation in the Challenge, regardless of whether such damages were foreseeable or whether Qryptonic was advised of the possibility of such damages.

The Challenge does not constitute a warranty, guarantee, or certification of the participating organization's security posture. A finding of zero High or Critical vulnerabilities reflects the results of testing conducted during the engagement period under the specific conditions and scope defined and should not be construed as assurance against future vulnerabilities or attacks.

14. No Assignment

The participating organization may not assign, transfer, or delegate its rights or obligations under this Challenge to any third party without Qryptonic's prior written consent. Any attempted assignment without consent is void. This includes but is not limited to assignment by operation of law, merger, acquisition, or change of control. Qryptonic may assign its rights and obligations to any successor entity or affiliate.

15. Modification and Termination

Qryptonic reserves the right to modify, suspend, or terminate the Challenge at any time with thirty (30) days written notice posted on qryptonic.com. Modifications do not apply retroactively to engagements already in progress at the time of notice. Organizations with signed SOWs at the time of termination will be evaluated under the terms in effect at signing.

16. Governing Law

These Terms and Conditions are governed by the laws of the State of Florida, without regard to conflict of law principles. Any litigation arising under these Terms shall be brought exclusively in the state or federal courts located in Miami-Dade County, Florida. The participating organization consents to personal jurisdiction in such courts.

17. Severability

If any provision of these Terms is held to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect. The invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving the parties' original intent.

18. Entire Agreement

These Terms and Conditions, together with the executed MSA and SOW, constitute the entire agreement between the parties regarding the Challenge and supersede all prior oral or written representations, understandings, or agreements. No modification of these Terms is binding unless in writing and signed by authorized representatives of both parties.

19. Acceptance

By executing a Statement of Work that references this Challenge, the participating organization acknowledges that it has read, understood, and agreed to these Terms and Conditions in their entirety.