🏆 Security Leaderboard

Find vulnerabilities. Earn points. Climb the ranks. The best security researchers get recognised publicly and build reputation in the AI security space.

How It Works

Report a valid vulnerability. We verify it, assign a severity, and award points. Your points accumulate across all findings and never expire. As you level up, you unlock ranks and perks.

Critical

1000

points

RCE, auth bypass, wallet drain, full data access

High

500

points

Data exposure, privilege escalation, cert bypass

Medium

200

points

XSS, CSRF, info disclosure, logic flaws

Low

points

Best practices, minor issues, informational

Ranks

🔍

Scout

0+ points

Leaderboard listing
Public profile

🎯

Hunter

500+ points

Scout perks +
Named in release notes
Early access to new features

🛡️

Sentinel

2,000+ points

Hunter perks +
SXM Sentinel badge for LinkedIn
Private security channel access
Influence on threat model updates

🏛️

Guardian

5,000+ points

Sentinel perks +
Co-author on security advisories
Invitation to advisory board
Free Enterprise tier (when launched)

⚡

Architect

10,000+ points

Guardian perks +
Named Security Architect on /about
Direct input on evaluation patterns
Revenue share on paid bounties (when launched)

Bonus Points

🔥 First Blood

First valid finding in a new category: +200 bonus

⚡ Speed Run

Valid finding within 24h of a new feature deploy: +150 bonus

🔗 Chain Bonus

Finding that chains multiple vulnerabilities: +300 bonus

📝 Quality Report

Detailed writeup with reproduction steps and fix suggestion: +100 bonus

🎯 Streak

3+ valid findings in a month: +250 bonus per streak

🧬 Novel Vector

Attack vector not in our threat model: +500 bonus

Leaderboard

#	Researcher	Rank	Findings	Points
🏆 The board is empty. Be the first to find a vulnerability and claim the #1 spot.

Scope

SXM platform and all subdomains
All API endpoints (public, self-service, and admin)
Evaluation engine (static + live evaluator logic)
Blockchain integration (attestation, verification)
Authentication and authorisation (API keys, permissions, rate limiting)

Out of Scope

Third-party services (Vercel, Neon, Polygon, Cloudflare)
Social engineering or phishing
DDoS or volumetric attacks
Issues already documented in our threat model

Rules

Test only against your own accounts and API keys
Do not access other users' data
Do not disrupt the service or degrade availability
Report via research@scientiaexmachina.co
Include: description, reproduction steps, impact assessment, suggested fix (for bonus points)
We will acknowledge within 48 hours and verify within 7 days
We will not take legal action against good-faith security researchers

We follow coordinated disclosure. Please allow us reasonable time to fix issues before public disclosure. Researchers who respect this get priority on future findings and bonus streak points.