Agent - X App DualDefense Audit: Program info

User Guide - Access & Setup Instructions

Step 1 - Registration

1. Go to the registration page: https://agentx-antidetect.com/signup/XXX
2. Complete the registration form.
3. Save your login credentials (email/username and password) - you will need them later.

Step 2 - Download the Application

1. Visit the download page: https://agentx-antidetect.com/en/download
2. Download the Windows version.
3. Install the application on your device.

Step 3 - Login

1. Open the installed application.
2. Log in using the same credentials created during registration.

IN-SCOPE: DESKTOP VULNERABILITIES

Scope clarification: only the desktop application is in scope for this program. Only "Critical" reports are in scope.

A Critical vulnerability must meet ALL of the following:

• Remote Code Execution (RCE) – Zero Interaction

• Unauthorized Private Key Extraction

• Transaction Tampering / Silent Modification

• Authentication Bypass (Leading to Fund Access)

• Remote Arbitrary File Write (Leading to Fund Theft)

• Demonstrable and reproducible exploitation.

• Direct, immediate, and unauthorized transfer of real user funds OR

• Extraction of private cryptographic keys allowing irreversible asset theft.

• No reliance on social engineering, user misconfiguration, or unrealistic attack conditions.

• Practical exploitability under default production settings.

Vulnerabilities that require:

• Physical device access
• Malware pre-installation
• User credential compromise
• Rooted/jailbroken environments

OUT OF SCOPE: DESKTOP VULNERABILITIES

• All other issues not mentioned “IN SCOPE” area
• Theoretical attack paths, speculative exploit chains, or vulnerabilities requiring additional unknown or unproven weaknesses will not qualify as Critical.

Only critical vulnerabilities that could lead to the loss of user funds or the permanent lock of funds are eligible for rewards.

• The company is not obliged to pay for "Low"-"High" severity issues. Only "Critical" issues are under the scope. However, the team may, at its discretion, accept the report and pay the bonus, the reward will not be a part of the bounty pool.
• Perform testing only within the scope
• Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
• Each vulnerability must have a fully working Proof of Concept (PoC) attached to the report at the time of submission. Submissions missing a valid POC will be closed and may result in a reputation point penalty.
• Each vulnerability must have a significant, implicit high likelihood of exploitation.
• Each vulnerability must include a suggested fix or mitigation strategy at the time of submission of the report
• Human-based errors and rogue privileged users are considered to be not valid vulnerabilities or risks.

Fail to comply with these rules may result in the closure of your report, loss of reputation points, and ban from future participation in the contest

A critical vulnerability is defined as a vulnerability with both high likelihood and high impact.

Reward Distribution:

• The reward will be distributed in HAI tokens. For that you will need to provide in your account your hAI wallet address so we can arrange the transaction.

Clear wording:

• Bounty pool — total amount of reward in the DualDefence Audit.
• Allocated bounty — amount of reward for each unique vulnerability reported.
• The total bounty pool for the DualDefence Audit will be equally split among all unique issues reported.
• Example: If three researchers identify the same vulnerability and also there are two other vulnerabilities submitted only once (total 3 unique issues reported) each vulnerability will get 1/3 of the bounty pool. Allocated bounty reward will be split between all researchers who submitted the same issue (where uniq issues receive 1/3 of the pool and researchers will get 1/9 each of the initial reward pool).

Allocated bounty reward will be split between all researchers who submitted the same issue (where uniq issues receive 1/3 of the pool and researchers will get 1/9 each of the initial reward pool).

Single Valid Submission

Full Reward: If a critical vulnerability is found by only one participant, that reporter receives 100% of the bounty pool.

Duplicate Submissions

If multiple participants find the same vulnerability, the allocated bounty for that issue (bounty pool always equally split among all unique issues reported) is divided equally among all reporters. Example: If two researchers report the same vulnerability, each receives 50% of the allocated bounty. It can be 50% of the bounty pool if only one eligible issue was reported.

Multiple Unique Submissions

Split Based on Uniqueness of issues reported:

• Unique Issue 1: Found by one reporter.
• Unique Issue 2: Found by another reporter.

Each will receive 50% of the bounty pool.

[DISCLAIMER] The reward amount will be denominated in HAI tokens which are staked in FlashPool, due to market volatility, the final USD amount may differ from the one stated in the rules.

HackenProof is entitled to 10% of rewards as the fee for the triage and other services‼️

Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization

• No vulnerability disclosure, including partial is allowed till the end of FlashBounty Audit contest.
• Please do NOT publish/discuss bugs

We are happy to thank everyone who submits valid reports which help us improve our security. However, only those that meet the following eligibility requirements may receive a monetary reward:

• The vulnerability must be a qualifying vulnerability
• Any vulnerability found must be reported exclusively through hackenproof.com
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
• You must not be a former or current employee of us or one of its contractor.
• Provide detailed but to-the point reproduction steps
• AI-generated reports without runable PoC are not accepted under this program.