BREACH
OPERATION 001 ACTIVE // TARGET ACQUIRED
MOMA.SYM — CULTURAL INFRASTRUCTURE COMPROMISED
CICFA // BOUNTY PROGRAM // OPERATION: 001 ACTIVE   DWG-CICFA-01

MOMA.SYM

CULTURAL INFRASTRUCTURE CRITICAL FAILURE ATTACK
VULNERABILITY DISCLOSURE PROGRAM — OPERATION 001
TARGET: Museum of Modern Art — New York City, USA
BREACH WINDOW OPEN  //  MoMA SELECTED

⚠ Live Bounty Pool

CURRENT PRIZE POT — VERIFIED ON-CHAIN
Ξ···
LOADING…
⊕ Fund the Bounty ⊗ Take the Challenge
choose your role

⊕ Fund the Bounty

You are invited to arm the program.
Every contribution increases the prize. The pot is on-chain. Transparent. Verifiable. Permanent.

To fund the bounty, send ETH to the address below. Your contribution is attributed on the board. The act of funding is itself a critical gesture — an assertion that institutional critique has market value.

Ethereum Address
0x7fC76C439c200151Dde0345B09BA02764B9143Ec
[ View on Etherscan ]
Scan to send ETH

Contributors

Handle Amount (ETH)
NO CONTRIBUTORS YET — BE THE FIRST

⊗ Take the Challenge

Museum of Modern Art has been selected as the first CICFA target.
Surface a vulnerability. Submit the disclosure.
If verified by the jury, the bounty unlocks and transfers to you.

Mission Brief

MoMA has been selected as the first target of the CICFA Bounty Program.

You are invited to identify and document a vulnerability in its institutional architecture — symbolic, structural, or technical. Who gets shown? Who funds the walls? What disappears between the press release and the permanent collection? Where does the opsec fail?

Surface the flaw. Submit the disclosure. The act of naming it is the work. If the jury verifies it — the bounty is yours.

Operating Registers

Register A — Symbolic / Conceptual

A structural contradiction. A power leak. A governance exploit. A curatorial blindspot.

Institutional critique as vulnerability disclosure.

  • Corporate board composition + sponsorship conflicts
  • Canon formation: whose work enters the collection?
  • Ticket pricing vs. "public institution" mandate
  • Labor disputes and staff organizing
  • Expansion history and franchise logic
Register B — Technical (White Hat)

A real security or opsec finding in the institution's public digital infrastructure.

No exploitation. No harm. Submit through CICFA. We handle responsible disclosure.

  • Public website and API endpoints
  • Ticketing system opsec
  • Digital collection infrastructure
  • Subdomain enumeration / cert exposure
  • Public data leaks or misconfigured assets

Both registers are valid. They can coexist in one submission.

Verification Protocol

⚠ Unlock Conditions — A submission is valid if:
01 It discloses a genuine vulnerability in the target's institutional architecture Symbolic, structural, or technical — both registers qualify
02 It follows the submission format and contains sufficient detail to verify the finding Vague claims do not qualify — the disclosure must be specific and documented
03 It passes review by the CICFA Jury (simple majority) Jury composition published below — no anonymous adjudication
04 [Register B only] It survives the 30-day responsible disclosure window without retraction Target institution is notified via ransom letter; finding published after 30 days
05 On jury approval: ETH transferred from the bounty pool to the submitter's provided address No intermediary. No delay after jury vote. One winner per operation.

The Jury

⊕ JURY SEATS OPEN — 0/5 FILLED

The jury self-assembles from the first volunteers to register. Submit your ETH wallet address via the link below. Once registered, your vote on submissions will be signed with your wallet and recorded on-chain — provably yours, provably permanent.

[ Register as Juror → ]
SEATS REMAINING: 5  //  FIRST COME, FIRST SEATED  //  ETH WALLET REQUIRED
NO JURORS REGISTERED YET — SEATS OPEN ABOVE

Submission Formats

Document Written disclosure, breach narrative, exploit paper, or ransom note — 1–3 pages, any style
Visual / Diagram Attack surface map, power flow diagram, org chart annotated as exploit topology
Web Artifact A deployable page, tool, or interface — link to hosted version + screenshot
Prize Structure
ETH bounty pool transferred on jury approval
Public credit on the CICFA program dashboard
Exhibition attribution if selected for display
The naming of the vulnerability enters the archive — the archive is the work
Submit Vulnerability Disclosure