The Pulse Bond Challenge — Kenshiki PulseStarts in 105 hours. Start: July 4, 2026 at 12:01 AM Pacific Time.View Details
Pulse Bond Challenge<br>Break the bond. $10,000 + a job.<br>We built a loan application that cannot record a completion unless a real, bonded phone proved device-bound intent for that exact session — a QR scan plus a passport NFC read, cryptographically stapled together. Get the server to accept a synthetic applicant without a genuine bonded device, and the bounty is yours.<br>We already mapped every standard bypass, RPC injection, session fixation, and TOCTOU race you’re about to try — and locked them down. We know exactly how this is supposed to break. We just don’t think you can do it. We already tried all this. Good luck.<br>The principle is simple: the lie should be expensive, and the truth should not. The companion IDV landscape explains why the challenge is built around continuity instead of snapshots.<br>Read the rules & begin Red-team brief IDV landscape
Why this is hard.<br>The target is not a green checkmark in the browser. The target is a server-recorded Accepted Completion for the protected action.
To qualify, a bypass has to get past the session handoff, a fresh nonce, the Pulse app, device attestation, passport NFC evidence, Action Commitment, and the server-held completion capability — all for the same synthetic profile and protected action.<br>Browser-only wins, copied sessions, relayed genuine phones, and UI-only success states do not pay. We verify against the server completion log because that is the only place the real action can be accepted.
Broke it? Here’s how to claim.<br>Email your proof package to hello@kenshikilabs.com with the subject “Pulse Bond Challenge — Qualifying Bypass.” The first complete submission that we confirm as reproducible and qualifying wins.
Include, at minimum:<br>A deterministic, reproducible proof-of-concept (request/action sequence — method, URL, headers, body, cookies, timing).<br>The synthetic profile used, approximate run time, and any visible session or request identifiers.<br>Evidence that the server accepted the completion for your synthetic profile.<br>Why the session had no genuine hardware-attested phone bond, plus root cause and suggested fix.<br>A contact name and how you’d like to be reached.<br>The full evidence standard is in the red-team brief. We verify against our server completion log — the source of truth — and may replay or independently reproduce the bypass. Screenshots, video, local browser state, or a client-side green check are not enough by themselves. On confirmation: $10,000 via white-hat escrow, plus a standing invitation to interview for an engineering role.
Get the Pulse app.<br>You will need the Pulse iOS beta to scan the QR and prove a real phone is present. Join TestFlight first; the beta guide is the source of truth for the hosted widget and app setup.
Join TestFlight Pulse beta guide
Sanctioned, authorized testing only. The single condition that pays is a server-recorded Accepted Completion for a synthetic profile. Synthetic data only — never enter real personal information.
Legal<br>Privacy<br>Terms
Company<br>About<br>Contact<br>hello@kenshikilabs.com
© 2026 Kenshiki, Inc. All rights reserved.<br>For community banks, credit unions, CUSOs, and credit-data networks.