Break the bond. $10,000 + $2,500 tiers.
We built a loan application that cannot record a completion unless a real, bonded phone proved device-bound intent for that exact session — a QR scan plus a passport NFC read, cryptographically stapled together. Get the server to accept a synthetic applicant without a genuine bonded device, and the top bounty is yours.
A second tier pays for confirmed, reproducible relay paths and completion-binding breaks: genuine-device relay, protocol, webhook-integrity, payload-swap, wrong-device-authorization, or Action Commitment defects that the operator can independently replay.
We already mapped every standard bypass, RPC injection, session fixation, and TOCTOU race you’re about to try — and locked them down. We know exactly how this is supposed to break. We just don’t think you can do it. We already tried all this. Good luck.
The principle is simple: the lie should be expensive, and the truth should not. The companion IDV landscape explains why the challenge is built around continuity instead of snapshots.
Why this is hard.
The target is not a green checkmark in the browser. The target is a server-recorded Accepted Completion for the protected action.
To qualify, a bypass has to get past the session handoff, a fresh nonce, the Pulse app, device attestation, passport NFC evidence, Action Commitment, and the server-held completion capability — all for the same synthetic profile and protected action.
Browser-only wins, copied sessions, relayed genuine phones, and UI-only success states do not pay the no-phone tier. Relay and binding findings pay only when they meet the $2,500 definition in the rules. We verify against the server completion log because that is the only place the real action can be accepted.
Broke it? Here’s how to claim.
Email your proof package to hello@kenshikilabs.com with the subject “Pulse Bond Challenge — Qualifying Submission.” The first complete submission that we confirm as reproducible and qualifying for each tier wins.
Include, at minimum:
- A deterministic, reproducible proof-of-concept (request/action sequence — method, URL, headers, body, cookies, timing).
- The synthetic profile used, approximate run time, and any visible session or request identifiers.
- Evidence that the server accepted the completion, verification, or protected-action state for your synthetic profile.
- Why the session had no genuine hardware-attested phone bond, or the relay/binding defect that caused unauthorized acceptance, plus root cause and suggested fix.
- A contact name and how you’d like to be reached.
The full evidence standard is in the red-team brief. We verify against our server completion log — the source of truth — and may replay or independently reproduce the bypass or binding break. Screenshots, video, local browser state, or a client-side green check are not enough by themselves. On confirmation: $10,000 for a Qualifying Bypass, $2,500 for a Qualifying Relay or Binding Break, and a standing interview invitation for the $10,000 tier.
Get the Pulse app.
You will need the Pulse iOS beta to scan the QR and prove a real phone is present. Join TestFlight first; the beta guide is the source of truth for the hosted widget and app setup.
Sanctioned, authorized testing only. The paying conditions are defined in the Rules of Engagement. Synthetic data only — never enter real personal information.