$2,000,000 QStrike Challenge

1. Program Overview

Qtonic Quantum Corp ("Qtonic Quantum") offers the $2,000,000 QStrike Challenge (the "Challenge") to qualified organizations seeking independent validation of their cryptographic security posture. The Challenge is conducted through Qtonic Quantum's QStrike platform, which coordinates provider-aligned validation workflows across approved third-party quantum computing platforms. Additional modeled provider coverage may inform planning as service availability changes. Scoped customer engagements determine when deeper validation is used.

If Qtonic Quantum fails to identify any High or Critical severity cryptographic vulnerabilities during a qualifying engagement, Qtonic Quantum will pay the participating organization Two Million Dollars ($2,000,000 USD), subject to the terms and conditions herein.

Annual Program Cap: The maximum aggregate payout under this Challenge is Four Million Dollars ($4,000,000 USD) per calendar year. If the annual cap is reached, Qtonic Quantum will suspend new Challenge enrollments until the following calendar year. Organizations with signed SOWs prior to cap notification will be honored.

2. Eligibility Requirements

To participate in the Challenge, an organization must meet all of the following criteria:

(a) Be a legally registered business entity, government agency, or nonprofit organization.

(b) Maintain production systems that process, store, or transmit encrypted data with a minimum data retention requirement of five (5) years or longer.

(c) Have implemented or be actively implementing post-quantum cryptography (PQC) solutions across at least one production environment.

(d) Execute a full QStrike Enterprise engagement under signed scope terms, with eligibility conditions documented before validation begins.

(e) Provide Qtonic Quantum with authorized access to all cryptographic infrastructure within the defined scope, including but not limited to: key management systems, certificate authorities, encryption endpoints, HSMs, and related configuration data.

(f) Sign a Master Services Agreement (MSA), Statement of Work (SOW), and this Challenge Addendum prior to engagement commencement.

Qtonic Quantum reserves the right to decline participation to any organization that does not meet these requirements or whose infrastructure falls outside the scope of QStrike's testing capabilities.

3. Engagement Scope

The Challenge applies exclusively to the cryptographic infrastructure explicitly defined in the signed Statement of Work. The engagement scope must include a minimum of one (1) of the following categories:

(a) Public Key Infrastructure (PKI) and certificate management systems

(b) Key management and key exchange protocols

(c) Data-at-rest encryption implementations

(d) Data-in-transit encryption (TLS/SSL configurations, VPN tunnels, API security)

(e) Hardware Security Modules (HSMs) and cryptographic accelerators

Systems, applications, or infrastructure components not explicitly documented in the SOW are excluded from Challenge eligibility. Qtonic Quantum's identification of vulnerabilities in out-of-scope systems does not qualify for Challenge evaluation.

4. Engagement Timeline and Environment Lock

Maximum Duration: Challenge engagements must be completed within four (4) months (one hundred twenty (120) calendar days) from the commencement of active testing. Extensions require mutual written agreement and may result in additional fees.

Environment Baseline Lock: Upon commencement of active testing, Qtonic Quantum will document the baseline configuration state of all in-scope systems. The participating organization agrees not to implement patches, updates, configuration changes, key rotations, or other modifications to in-scope cryptographic infrastructure during the active testing period without prior written approval from Qtonic Quantum. Unauthorized modifications discovered during testing will result in immediate disqualification from Challenge eligibility.

Emergency Exceptions: If the organization must implement an emergency security patch to address an actively exploited vulnerability unrelated to the engagement, the organization must notify Qtonic Quantum in writing within four (4) hours. Qtonic Quantum will document the change and determine in its sole discretion whether Challenge eligibility is affected.

5. Vulnerability Classification

Vulnerabilities identified during the engagement will be classified using the Common Vulnerability Scoring System (CVSS) version 3.1 or later. For purposes of this Challenge:

(a) Critical Severity: CVSS Base Score of 9.0 to 10.0

(b) High Severity: CVSS Base Score of 7.0 to 8.9

The Challenge award is forfeited if Qtonic Quantum identifies one or more High or Critical severity vulnerabilities within the defined scope. Medium, Low, and Informational findings do not affect Challenge eligibility.

Qualifying vulnerability categories include but are not limited to: use of deprecated or weak cryptographic algorithms in production, improper key generation or insufficient key entropy, exposed or inadequately protected cryptographic keys, misconfigured certificate chains or expired certificates in active use, broken or bypassed cryptographic controls, ephemeral key leakage enabling practical cryptanalysis, and configuration states that materially reduce cryptographic strength below acceptable thresholds.

6. Award Conditions

To qualify for the $2,000,000 award, all of the following conditions must be satisfied:

(a) The organization met all eligibility requirements at the time of engagement.

(b) The engagement was completed in full accordance with the signed SOW within the maximum duration.

(c) Qtonic Quantum was provided complete and accurate access to all in-scope systems as defined.

(d) The organization did not withhold, obscure, or misrepresent any information material to the assessment.

(e) The organization maintained environment lock requirements throughout the testing period.

(f) Qtonic Quantum's final deliverable confirms zero (0) High or Critical severity findings within the defined scope.

(g) The organization has paid all invoiced amounts in full prior to award disbursement.

(h) The annual program cap has not been exhausted at the time of final report delivery.

Upon satisfaction of all conditions, Qtonic Quantum will issue payment within sixty (60) business days of final report acceptance. Payment will be made via wire transfer to an account designated by the participating organization. International recipients are solely responsible for any applicable taxes, duties, or withholding requirements in their jurisdiction.

7. Exclusions

The following circumstances disqualify an organization from Challenge eligibility or award:

(a) Engagements conducted under pilot, proof-of-concept, or discounted commercial arrangements.

(b) Organizations that restrict testing to non-production, sandbox, or demonstration environments only.

(c) Engagements where the organization limits access to specific systems, keys, or configurations within the agreed scope after signing.

(d) Organizations that have undergone a prior QStrike engagement within the preceding twelve (12) months.

(e) Any organization that is a direct competitor of Qtonic Quantum or is affiliated with a competing quantum security vendor.

(f) Organizations under active litigation with Qtonic Quantum or any of its affiliates.

(g) Engagements where the organization's conduct, interference, or lack of cooperation materially impaired Qtonic Quantum's ability to perform comprehensive testing.

8. Engagement Withdrawal

Qtonic Quantum reserves the right to withdraw from Challenge eligibility during the discovery or reconnaissance phase of an engagement under the following circumstances:

(a) The organization's cryptographic infrastructure was designed, implemented, or is actively managed by a government agency, military unit, or intelligence service of any nation.

(b) The engagement scope materially differs from representations made during pre-engagement discussions, including undisclosed complexity, classified components, or restricted-access systems.

(c) Qtonic Quantum determines that complete testing would require security clearances, foreign government approvals, or access permissions not obtainable within the engagement timeline.

(d) Information obtained during discovery reveals a material conflict of interest, including but not limited to relationships with competing vendors or ongoing legal matters.

Upon withdrawal from Challenge eligibility, the engagement will continue as a standard QStrike assessment at the contracted rate. The organization will receive the full deliverables and remediation roadmap but will not be eligible for the $2,000,000 award. Fees paid are non-refundable. Qtonic Quantum will provide written notice of withdrawal with stated rationale within five (5) business days of the determination.

This withdrawal right expires upon commencement of active validation. Once scoped quantum attack validation begins, Qtonic Quantum is bound by the Challenge terms for that engagement.

9. Force Majeure and Platform Availability

Qtonic Quantum's testing methodology requires access to approved third-party quantum computing platforms. In the event that one or more quantum computing platforms become unavailable due to outages, maintenance, capacity constraints, service discontinuation, or other circumstances beyond Qtonic Quantum's reasonable control, Qtonic Quantum may pause the engagement until access is restored.

If platform unavailability exceeds fourteen (14) consecutive calendar days, either party may elect to conclude the engagement based on testing completed to date. In such cases, Challenge eligibility will be determined based on the scope tested. No additional award or compensation is owed for untested scope due to platform unavailability. Qtonic Quantum is not liable for delays, incomplete testing, or any damages arising from third-party platform availability issues.

10. Dispute Resolution

In the event of a dispute regarding vulnerability classification or Challenge eligibility, the following process applies:

(a) Internal Review: The organization may submit a written dispute within fourteen (14) calendar days of receiving the final report. Qtonic Quantum's technical review board will evaluate the dispute and provide a written response within twenty-one (21) calendar days.

(b) Independent Arbitration: If the dispute remains unresolved, either party may request binding arbitration administered by JAMS under its Comprehensive Arbitration Rules. The arbitration will be conducted in Miami-Dade County, Florida. The arbitrator's decision regarding CVSS scoring and vulnerability validity shall be final. Each party bears its own costs, with arbitration fees split equally.

Disputes not raised within the fourteen (14) day window are deemed waived.

11. Confidentiality and Publicity

All engagement activities, findings, and deliverables are subject to the confidentiality provisions of the executed MSA. Qtonic Quantum will not disclose the identity of Challenge participants or specific findings without written consent.

Aggregate Statistics: Qtonic Quantum reserves the right to publish aggregate, anonymized statistics regarding Challenge outcomes (e.g., total engagements, total findings, payout status) for marketing and research purposes without identifying individual participants.

Publication Rights: Both parties agree to coordinate on any public statements, press releases, or other communications regarding the engagement or its outcomes. Either party may publish factual, accurate accounts of the engagement process and results. Misleading or materially false public statements by either party may be addressed through the dispute resolution process described in Section 10.

12. Indemnification

The participating organization agrees to indemnify, defend, and hold harmless Qtonic Quantum, its officers, directors, employees, agents, and affiliates from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from or related to:

(a) The organization's authorization of testing activities on systems it does not own or have authority to test.

(b) Any production incidents, data loss, or service disruptions resulting from the organization's failure to properly isolate or protect systems outside the defined scope.

(c) Third-party claims arising from the organization's misrepresentation of Challenge results or unauthorized use of Qtonic Quantum's name or trademarks.

(d) Breach of the non-disparagement or confidentiality provisions herein.

13. Limitation of Liability

Qtonic Quantum's total liability under this Challenge is limited to the $2,000,000 award amount per qualifying engagement. In no event shall Qtonic Quantum be liable for indirect, incidental, consequential, special, or punitive damages arising from participation in the Challenge, regardless of whether such damages were foreseeable or whether Qtonic Quantum was advised of the possibility of such damages.

The Challenge does not constitute a warranty, guarantee, or certification of the participating organization's security posture. A finding of zero High or Critical vulnerabilities reflects the results of testing conducted during the engagement period under the specific conditions and scope defined and should not be construed as assurance against future vulnerabilities or attacks.

14. No Assignment

The participating organization may not assign, transfer, or delegate its rights or obligations under this Challenge to any third party without Qtonic Quantum's prior written consent. Any attempted assignment without consent is void. This includes but is not limited to assignment by operation of law, merger, acquisition, or change of control. Qtonic Quantum may assign its rights and obligations to any successor entity or affiliate.

15. Modification and Termination

Qtonic Quantum reserves the right to modify, suspend, or terminate the Challenge at any time with thirty (30) days written notice posted on qtonicquantum.com. Modifications do not apply retroactively to engagements already in progress at the time of notice. Organizations with signed SOWs at the time of termination will be evaluated under the terms in effect at signing.

16. Governing Law

These Terms and Conditions are governed by the laws of the State of Florida, without regard to conflict of law principles. Any litigation arising under these Terms shall be brought exclusively in the state or federal courts located in Miami-Dade County, Florida. The participating organization consents to personal jurisdiction in such courts.

17. Severability

If any provision of these Terms is held to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect. The invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving the parties' original intent.

18. Entire Agreement

These Terms and Conditions, together with the executed MSA and SOW, constitute the entire agreement between the parties regarding the Challenge and supersede all prior oral or written representations, understandings, or agreements. No modification of these Terms is binding unless in writing and signed by authorized representatives of both parties.

19. Acceptance

By executing a Statement of Work that references this Challenge, the participating organization acknowledges that it has read, understood, and agreed to these Terms and Conditions in their entirety.