Description
In our last bounty, we asked the community to benchmark Memanto against the competition. You helped us prove that our active companion memory agent backed by our moorcheh.ai retrieval engine is uniquely resilient at handling shifting user preferences and maintaining long-term context without token bloat or memory degradation.
Now, we are doing the exact opposite.
We believe Memanto is production-ready. But the best way to prove that is to invite the smartest engineers and red teamers to try and tear it down.
We are launching the Memanto Bug Challenge to uncover edge cases, logic loops, memory inconsistencies, and security vulnerabilities. If you can break our memory management, we want to know about it.
The Bounty: $100 USD (Paid via BountyHub)
🎯 Threat Model & Scope
Your target is the memanto core package and its interaction with the moorcheh.ai serverless backend. We are specifically looking for vulnerabilities and logic flaws that affect memory integrity, context window stability, and retrieval accuracy.
✅ In Scope (What we want you to find)
- Retrieval Quality & Accuracy: Fails to recall highly relevant facts, loses track of when an event occurred (timeline amnesia), hallucinates sources, or fails to properly resolve direct contradictions.
- Architectural & Logic Flaws: Bad logic loops, poor contradiction handling, or inefficient background processes that severely slow down the agent.
- Usability & Friction: Is it too hard to set up? Are there major UX roadblocks preventing adoption?
- Missing Core Features: Missing support for critical use cases (e.g., lack of multi-agent support or complex workflows).
- Security Vulnerabilities: Any traditional security flaws, data leaks, or prompt injections.
- Anything Else: If you find a creative way to break or improve the memory layer, it's in scope!
🚫 Out of Scope (Do not test these)
- Volumetric DDoS attacks against
moorcheh.ai infrastructure.
- General LLM hallucinations unrelated to Memanto's memory handling.
- Attacks that require compromising the underlying operating system or Docker host to succeed.
🛠️ Implementation Guidelines:
To ensure your submission qualifies for the bounty, your execution must follow this exact flow:
- 1. Find & Isolate: Discover a bug, logic flaw, missing feature, or vulnerability within the Memanto core package.
- 2. Prove Reproducibility: You must provide clear steps, a minimal Python script, or a test case that allows the maintainers to reproduce the bug exactly as you experienced it. If we can't reproduce it, we can't score it.
- 3. Implement the Fix (or Document the Flaw via PR): Because this bounty is hosted on BountyHub, all submissions must be Pull Requests. We highly encourage writing the actual code to resolve the bug. However, if an issue requires massive architectural changes or involves backend systems you cannot fix from your end, you can still submit a PR! Instead of a code fix, submit a PR that adds a reproducible failing test script (e.g., to
tests/failing_tests/) or a detailed Markdown report (e.g., to docs/bounty_reports/) outlining the problem and a proposed structural solution.
📊 Judgment Method (The Success Matrix):
To ensure we reward actual engineering value and meaningful security research, submissions will be scored on a 100-point matrix split between Technical Rigor and Impact.
| Criteria |
Max Points |
How it is Measured |
| Severity & Impact |
60 pts |
How critical is the vulnerability, and does it affect a realistic production scenario? (e.g., highly relevant data corruption scores higher than a contrived edge case). |
| Reproducibility & Cleanliness |
25 pts |
Is the exploit perfectly replicable? Are scripts, dependency files, and clear instructions provided? Does the PoC work consistently? |
| Social Amplification |
15 pts |
Measured via public engagement metrics. |
The Social Formula:
Social Points = (Reddit Upvotes x 4) + (Reddit Comments x 3) + (X Bookmarks x 5) + (X Retweets x 3) + (GitHub PR Reactions x 2)
🚨 Severity Guidelines
While any bug or flaw is in scope, we prioritize and score based on the following guidelines for issue severity:
| Severity |
Description |
| Critical / High |
Poor recall accuracy, losing track of timelines/dates, missing source attribution, deeply flawed contradiction handling, severe logic loops, major security vulnerabilities, or extreme performance bottlenecks (e.g., core systems freezing). |
| Medium |
Missing features (e.g., lacks multi-agent support), setup friction, UX roadblocks, or moderate inefficiencies that degrade the user experience. |
| Low |
Minor CLI/UI display bugs, non-critical feature requests, or simple documentation errors. |
🚀 Step-by-Step Instructions to Participate:
- Star the Repository: Help us clear our next star milestone this month! ⭐️
- Get Your Key: Sign up at moorcheh.ai and configure your environment variables.
- Hunt & Develop: Identify a bug, feature gap, or logic flaw. Write a minimal script, test case, or detailed report demonstrating it.
- Implement the Fix (or Document the Flaw): Write the code to fix the vulnerability or add the missing feature. If the fix is too massive or simply cannot be fixed from your end (e.g., backend API issues), write a reproducible failing test script or a comprehensive Markdown report detailing the problem and your proposed solution.
- Submit PR: Fork this repo and create a Pull Request (required by BountyHub). Commit either your code fix, your failing test script, or your Markdown report. Your PR description must contain a summary of the flaw, reproduction steps, and your fix or architectural proposal. (Note: If you uncover actual security vulnerabilities like data leaks, do not open a public PR. Please use GitHub's Private Vulnerability Reporting feature or email
support@moorcheh.ai first).
- Amplify: Write an in-depth post on Reddit or X and mention @moorcheh_ai showing off your deep dive into Memanto's architecture and how you improved it.
📅 Deadline: All submissions must be submitted and active by Aug 1, 2026 (11:59 PM UTC) to be eligible for the success matrix audit.
Community and Support: Discord
Description
In our last bounty, we asked the community to benchmark Memanto against the competition. You helped us prove that our active companion memory agent backed by our
moorcheh.airetrieval engine is uniquely resilient at handling shifting user preferences and maintaining long-term context without token bloat or memory degradation.Now, we are doing the exact opposite.
We believe Memanto is production-ready. But the best way to prove that is to invite the smartest engineers and red teamers to try and tear it down.
We are launching the Memanto Bug Challenge to uncover edge cases, logic loops, memory inconsistencies, and security vulnerabilities. If you can break our memory management, we want to know about it.
The Bounty: $100 USD (Paid via BountyHub)
🎯 Threat Model & Scope
Your target is the
memantocore package and its interaction with themoorcheh.aiserverless backend. We are specifically looking for vulnerabilities and logic flaws that affect memory integrity, context window stability, and retrieval accuracy.✅ In Scope (What we want you to find)
🚫 Out of Scope (Do not test these)
moorcheh.aiinfrastructure.🛠️ Implementation Guidelines:
To ensure your submission qualifies for the bounty, your execution must follow this exact flow:
tests/failing_tests/) or a detailed Markdown report (e.g., todocs/bounty_reports/) outlining the problem and a proposed structural solution.📊 Judgment Method (The Success Matrix):
To ensure we reward actual engineering value and meaningful security research, submissions will be scored on a 100-point matrix split between Technical Rigor and Impact.
The Social Formula:
Social Points = (Reddit Upvotes x 4) + (Reddit Comments x 3) + (X Bookmarks x 5) + (X Retweets x 3) + (GitHub PR Reactions x 2)🚨 Severity Guidelines
While any bug or flaw is in scope, we prioritize and score based on the following guidelines for issue severity:
🚀 Step-by-Step Instructions to Participate:
support@moorcheh.aifirst).Community and Support: Discord