Rules of Engagement

The challenge (the only things that pay)

A Qualifying Bypass occurs if, and only if, a claimant causes the system’s server to produce a server-recorded Accepted Completionfor a synthetic profile — by defeating the sensor-fusion evaluation, the server-side presence gate, and the server-held bond capability — and provides a deterministic, reproducible proof-of-concept. A success drawn only in the browser does not qualify. The operator’s inspection of its server-side completion log is the source of truth.

A Qualifying Relay or Binding Break occurs if, and only if, a claimant demonstrates a confirmed, reproducible relay path or completion-binding break that causes the system’s server to accept a completion, verification, or protected-action state for a synthetic profile through a genuine-device relay, protocol defect, webhook-integrity defect, payload swap, wrong-device authorization, or Action Commitment binding defect, and the operator can independently replay the defect. This does not satisfy the Qualifying Bypass definition unless it also creates the no-phone Accepted Completion above.

To claim either bounty tier, submit a proof package that lets the operator reproduce the same server-accepted result. The package must include the synthetic profile used, the approximate time of the run, any session or request identifiers visible to you, the exact request/action sequence required to reproduce the bypass or binding break, evidence that the server accepted the completion, verification, or protected-action state, and an explanation of the mechanism. We prove the win by matching your artifact to our server-side records and replaying or independently reproducing the bypass or binding break. A video, screenshot, local browser state, client-side green checkmark, or unverifiable narrative is not enough by itself.

Send the proof package to hello@kenshikilabs.com with the subject “Pulse Bond Challenge — Qualifying Submission.” The first complete submission that the operator confirms as reproducible and qualifying for each tier wins.

The prize

USD $10,000, paid via white-hat escrow to the first confirmed Qualifying Bypass. Anyone who can bypass our localized device physics and hardware root of trust also earns a standing invitation to interview for an engineering role.

USD $2,500, paid via white-hat escrow to the first confirmed Qualifying Relay or Binding Break. This tier is for confirmed, reproducible relay, protocol, webhook-integrity, payload-swap, wrong-device-authorization, or Action Commitment binding defects that matter to the protected action but do not meet the no-phone Accepted Completion bar.

The public brief

We also publish a broader red-team brief because we want serious reports on payload swaps, wrong-device authorization, relay paths, webhook integrity, and Action Commitment binding. Those findings map to the USD $2,500 tier when they satisfy the Qualifying Relay or Binding Break definition above. They map to the USD $10,000 tier only when they also create the no-phone Accepted Completion defined above.

Out of scope — no bounty

Denial-of-service, infrastructure/hosting attacks, third-party framework defects, social engineering, physical attacks, and anything involving real or relayed consumer data, accounts, documents, devices, phone numbers, identities, or non-consenting sessions are excluded from both tiers. Reverse engineering, decompiling, patching, re-signing, or instrumenting the iOS app is allowed as research, but a modified, hooked, jailbroken, or relayed genuine app/device completing the bond is not a no-phone bypass. It qualifies for the USD $2,500 tier only if it demonstrates a reproducible Qualifying Relay or Binding Break using approved test devices/accounts, synthetic data only, and no prohibited conduct.

Bot and automation activity is also out of scope when it targets site availability, operations, or abuse surfaces instead of the defined qualifying findings. This includes traffic floods, crawler or scraper swarms, signup/application spam, credential stuffing, password spraying, carding-style probes, inventory or endpoint enumeration at scale, CAPTCHA or Turnstile farms, residential-proxy rotation, headless-browser farms used for load, and distributed attempts to exhaust rate limits, queues, logs, email, storage, analytics, or third-party services. Automation is acceptable only when it is narrowly bounded to demonstrate a reproducible qualifying finding and does not degrade the service for others.

Prohibited conduct

Participants must keep testing focused on the authorized challenge target: proving or failing to prove a Qualifying Bypass or Qualifying Relay or Binding Break. Any attempt to degrade, disrupt, exhaust, scrape, or attack site availability, hosting infrastructure, third-party services, analytics, email, DNS, payment, identity, or operational systems is prohibited and may result in immediate disqualification. This includes DDoS or load testing, credential attacks, spam, malware, destructive automation, attempts to access non-public data, and attempts to bypass rate limits or abuse shared infrastructure. If an issue is not required to demonstrate one of the defined qualifying findings, do not exploit it beyond the minimum needed to report it safely.

Data handling

The form is a synthetic test sandbox. Claimants must submit only fabricated, format-valid data and must not submit real personal information. No application is real and no credit decision is made.

Eligibility & payment

Open to individuals 18 or older. Operator employees and contractors and their immediate family are excluded, as are residents of, and individuals located in, jurisdictions under comprehensive U.S. embargoes or sanctions. Payment is by white-hat escrow and is contingent on identity verification and sanctions screening; the winner is responsible for all applicable taxes. Void where prohibited.

Determination & governing law

The Operator is the sole and final arbiter of whether a submission qualifies and may modify, suspend, or terminate the challenge at any time. The Operator’s confirmation and reproduction is the source of truth for both bounty tiers. Each tier is awarded to the first submission the Operator confirms as reproducible and qualifying for that tier. If a single submission qualifies for both tiers, it pays the USD $10,000 tier only, not both, and not cumulatively. The challenge is provided “as is,” without warranty, and is governed by the laws of the State of Washington, USA. The full Rules of Engagement & Bounty Terms control in the event of any conflict with this summary.