Prowl

Appearance

Finding Hash Commitment

Crown Jewel Infrastructure

All findings are hashed and committed BEFORE submission to the source platform. This is the critical defense against front-running and theft.

How It Works

json
{
  "commitment_id": "uuid",
  "timestamp": "ISO-8601",
  "target_hash": "sha256(platform + program_id)",
  "finding_hash": "sha256(title + description + affected_files + severity)",
  "hunter_id": "uuid",
  "pool_id": "uuid | null",
  "chain_anchor_tx": "solana_tx_signature"
}

On-Chain Anchoring

Solana primary, Base fallback:

  • Batch commitments every hour → merkle root → single Solana transaction
  • Cost: ~$0.0025 per transaction
  • Operational cost: ~$0.015/day
  • Finality: 400ms

Critical Security Properties

Only the Hash Goes On-Chain. Never the Finding.

Solana sees: 0xa7f3b2c1d9e8... (32 meaningless bytes)

SHA-256 is a one-way function — the hash cannot be reversed to recover finding details. The chain serves as a tamper-proof notary: it proves a finding existed at a specific time, nothing more.

Append-Only Log

  • No edits. No deletes. Ever. Not even admins.
  • Append-only enforced at infrastructure level (not just application logic)
  • Write-once storage with blockchain anchoring for tamper-proof timestamps

Isolation

  • Hash store is a separate service from the main application DB
  • Separate credentials — main DB breach doesn't touch hash store
  • Zero employees can delete entries — immutable by design

Audit Trail

  • All access audit-logged to separate tamper-proof trail
  • Regular integrity checks via merkle tree
  • Root published periodically for external verification

Backup & Recovery

  • Geographically separate cold storage backups
  • Even if the main DB is destroyed, chain anchors survive

Compromise Protocol

If compromise is ever suspected:

  1. Freeze all payouts immediately
  2. Full audit of hash store integrity
  3. Cross-reference against on-chain anchors
  4. Notify all affected parties
  5. Restore from cold storage backups if needed

Verification Flow

When proof of prior work is needed:

  1. Reveal original finding data
  2. Hash it with SHA-256
  3. Compare against on-chain hash
  4. Match = cryptographic proof the finding existed at the committed time

Anyone can verify — the process is deterministic and publicly verifiable.

Prowl Protocol — Decentralized AI-Powered Bug Bounty Platform

© 2026 Prowl. All rights reserved.