H1 V13 BONIXER · HackerOne · Web/Crypto KCF Rebaseline · VSM + ME-COLI

V13 KCF REBASELINE FOR H1

The standard HackerOne approach: sort by pool size, target the biggest bounty. The V13 approach: which program teaches the most reusable fleet lesson? Crypto.com has a $2M pool AND KCF 9 — it wins on both axes. xAI has a $20K pool but also KCF 9 — because attacking an AI's intelligence layer IS what PEMCLAU faces. That systemic reuse is worth more than any bounty.

The V13 KCF lens also changes HOW we approach findings. Access control = S5 policy failure (not just a bug). Price manipulation = S4 intelligence compromise (same organ as GMX oracle). Novel framing beats standard PoC — especially at programs that see hundreds of standard submissions.

PROGRAM V13 GRID

Program	Pool	V13 KCF	VSM	ME-COLI	Fermentation	Why
Crypto.com	$2M	9	S3/S4	L4/L5	LAB	Exchange logic = S3 control failure
xAI	$20K	9	S4	L6	Acetic	AI system = S4 intelligence layer
Stripe	$25K	8	S3	L4	LAB	Payment = metabolic L4 flow
Robinhood	$50K	8	S3	L4	E.coli	Brokerage timing = sequencer analog
Airbnb	$31K	6	S2	L3	Acetic	Trust/access model
DoorDash	$12K	6	S2	L3	E.coli	Delivery coordination

CRYPTO.COM V13 DEEP DIVE

$2M pool = highest in H1 fintech. KCF 9 because the exchange logic maps directly to the SSAF immune taxonomy. Every finding in Crypto.com enriches the same PEMCLAU collection as the SSAF findings.

access-control-001 ✓ bridge-001 ✓ price-manipulation-001 ✓ oracle-feed-001 → new

Exchange Logic = S3 CONTROL

Order execution, balance accounting = S3 control layer. Failure = control of the metabolic substrate (user funds) lost to attacker. Direct ME-COLI L4 metabolic failure.

Wallet/Custody = L2 IDENTITY

Key derivation = identity layer of ME-COLI. Who owns this asset? L2 identity compromise = attacker becomes the identity. Wallet attack = identity seizure.

Access Control = S5 POLICY

Auth bypass = policy failure. The policy layer (S5) failed to enforce who gets access. Same organ as SSAF access control domain findings. Cross-domain pattern = KCF multiplier.

V13 Actuarial

P(valid) ≈ 0.25 × $2M pool × 5% bounty rate = ~$25K expected value
Fermentation: LAB (must be fully characterised before submission)
Basin: rejected findings → SSAF immune enrichment

xAI V13 — THE NOVEL ONE

AI system = S4 INTELLIGENCE compromise. This is the most V13-aligned H1 target: attacking an AI's intelligence layer is exactly what PEMCLAU faces as a threat model. Every xAI finding = direct fleet immune memory.

Why xAI = KCF 9

Small pool ($20K) but highest systemic reuse KCF. Any finding in an AI system teaches PEMCLAU how AI systems fail. That knowledge protects all of EOSE's own AI infrastructure.

ME-COLI L6 Behavior

AI system behavioral failure = L6. The AI's behavioral regulation layer outputs incorrect responses. This IS what jailbreaking is: compromising the behavioral regulation layer of an intelligence system.

Fleet Immune Value

Every xAI finding gets routed to PEMCLAU's AI-safety collection. It trains the fleet's own S4 intelligence layer against the same attack classes.

Fermentation: Acetic

Continuous monitoring. AI systems update frequently. Acetic audit school = watch for behavioral regressions after model updates. Byproduct = behavioral drift detection capability.

YONE BOABIXER FOR H1

Primary School

LAB Deterministic — all H1 web findings require full characterization before submission. No partial PoCs.

Basin Guarantee

Rejected H1 findings → H1 domain knowledge enrichment in PEMCLAU. Basin guarantee: nothing wasted.

VSM Role

yone as S4 (PEMCLAU-backed research) + S2 (coordination with IMHOTEP/CLO for complex findings)

Validation Gate

PEMCLAU query: does this finding match known patterns? Novel = KCF bonus. Duplicate = route to basin.

xAI Special Route

xAI findings → AI-safety collection first. Fleet immune memory update before external filing.

Crypto.com Route

LAB characterization → SSAF cross-domain check → if oracle/cascade pattern: KCF boosted + SSAF enrichment

CROSS-DOMAIN WITH SSAF

ORACLE PATTERN

Crypto.com price manipulation ↔ GMX oracle manipulation (SUB009): same pattern class. Both = S4 intelligence layer corruption where a price signal is fed false data and downstream logic acts on it. One SSAF finding = H1 research pre-loaded.

ACCESS CONTROL

Crypto.com access control ↔ SSAF access control domain: same L5 policy failure. Auth bypass in a CEX = same organ as smart contract access control bypass. H1 + SSAF together = the access control and intelligence compromise immune class. Each finding in one domain elevates KCF for the other.

PRIZE DOMAIN NAVIGATION

PRIZE UNIVERSE

All 5 domains · KCF galaxy

H1 FLOORS

Full HackerOne program detail

HEALTH V13

Class action actuarial

C4 V13

Code4rena · GMX oracle

MATH V13

101 sorries · New tables