Audits & Reports

Cadence

The Network is independently audited on a standing cadence: cryptographic primitives reviewed annually, smart contracts reviewed at every protocol release, and a consolidated operating-controls report filed with the Foundation each August.

Standing reports

• Annual cryptographic audit. NIST-accredited reviewer; covers ML-DSA, ML-KEM, SLH-DSA, SHA-3, the Pulsar-M finality witness, and the strict-PQ profile enforcement. Published by 1 August each year.
• Protocol-release audit. Independent review at every consensus-layer protocol upgrade. Findings published with the release notes.
• Bridge audit. Annual review of bridge contracts; covers the post-quantum permit format (PQPermit) and the cross-chain handshake.
• Operating-controls report. Annual SOC-2-aligned controls review; covers KMS custody, validator signing-key rotation, and incident response.
• Reserves. Monthly proof-of-reserves for tokenised assets (GOLD-O et al.); hashed bar lists anchored on chain.

Formal proofs

Soundness proofs for the strict end-to-end post-quantum profile and for the Pulsar-M finality witness are maintained in ~/work/lux/proofs/strict-e2e-pq/ (Lean 4 machine-checked + TLA+ model-checked). The proofs are published under the same release tag as the consensus code they verify.

Bug bounty

Standing bounty programme for vulnerabilities in the Network’s in-scope surfaces. Awards scaled by severity and impact; the standing maximum is reserved for protocol-level consensus or cryptographic breaks. Detailed scope and payout schedule at docs.osage.network/security/bounty.

How to read this page

Each report cites the auditor, the period covered, the scope agreed in advance, and the findings disposition. Where a finding is closed without remediation, the report includes a written board-level acknowledgement of accepted residual risk.

Engagement

Audit and review requests: [email protected]. Researchers: [email protected]. Security disclosures: /security.