Wolf Dog Group, LLC
Security Policy for Solana Testnet Validator Operations

1. Introduction and Scope

Wolf Dog Group, LLC (the "Operator"), a Wyoming limited liability company specializing in cryptocurrency reserve treasury and blockchain solutions, hereby adopts this Security Policy (the "Policy") to govern the operation of its Solana testnet validator node (the "Validator"). This Policy outlines the Operator's commitment to maintaining the security, integrity, and reliability of the Validator in accordance with best practices established by the Solana Foundation, Anza AG (developers of the Agave client), and industry standards, including but not limited to the Wyoming Uniform Trade Secrets Act (W.S. § 40-24-101 et seq.), Wyoming Digital Assets laws (e.g., W.S. § 34-29-101 et seq.), federal U.S. guidelines under the Securities and Exchange Commission (SEC) and Financial Crimes Enforcement Network (FinCEN), and international data protection principles where applicable (e.g., anonymized data handling to align with GDPR-like standards for global delegators).

The Validator is hosted on dedicated, high-performance infrastructure and is intended for testnet participation with potential future mainnet expansion. This Policy applies to all personnel, contractors, and agents accessing or managing the Validator and shall be reviewed quarterly or upon material changes. The Operator reserves the right to amend this Policy at any time, with notice provided via the website https://validator.wolfdoggroup.com. Amendments shall be binding upon posting.

This Policy draws from established Solana validators such as Chorus One (emphasizing encrypted key management and segmented access), Blockdaemon (focusing on certifications like ISO 27001 and layered risk mitigation), Figment (highlighting hardware security modules and 24/7 monitoring), and bloXroute (prioritizing compliance and ethical MEV practices), as well as Solana Foundation and Anza guidelines for robust hardware, network hardening, and operational resilience. Specific security implementations and vendor details are intentionally not disclosed to prevent targeted attacks.

2. Hardware and Infrastructure Security

The Operator shall employ industry-standard physical and virtual measures to safeguard the Validator's infrastructure, aligning with Anza's recommendations for high-performance hardware and avoidance of containerization in production environments:

1. Infrastructure Specifications and Provider: The Validator is provisioned on a reputable provider with features optimized for blockchain operations, including high-core processors, ample ECC RAM, high-endurance storage, and sufficient bandwidth. The provider is selected for compliance with standards such as ISO 27001 and SOC 2, with annual audits to verify security controls.
2. Access Controls and Isolation: Access is restricted to authorized users with least-privilege principles, using secure authentication methods. Infrastructure is isolated to minimize exposure, with redundant systems ensuring high uptime.
3. Hardening Measures: The system is hardened through regular updates to the Agave client and underlying OS, with resource limits enforced to prevent exhaustion. No unnecessary services are run, and operations prioritize security over non-essential features.

3. Network Security

Network integrity is maintained to prevent unauthorized access and ensure reliable consensus, drawing from Solana's guidelines and practices of validators like Figment (multi-layered defenses):

1. Access Management: Industry-standard firewalls and access controls limit traffic to essential protocols, with all changes logged and reviewed. Public exposure is minimized, and traffic is encrypted end-to-end using modern standards (e.g., TLS 1.3).
2. Threat Mitigation: Advanced DDoS protection, web application firewalls, and rate limiting are employed to counter threats. Access requires multi-factor authentication and device verification where applicable. All security measures are implemented using industry-standard solutions without exposing specific vendor information.
3. Synchronization and Consensus: Time synchronization uses trusted NTP sources to maintain accuracy within acceptable offsets, avoiding consensus failures. Communications are restricted to verified peers to mitigate sybil attacks, with redundancy for reliability.

4. Key Management and Cryptographic Security

The Operator shall handle cryptographic assets with utmost confidentiality and integrity, incorporating lessons from Solana ecosystem incidents and best practices from Chorus One (encrypted backups and segmented access):

1. Key Generation and Storage: All keypairs are generated using strong randomness and stored in encrypted formats, never exposed to public networks or held in custody to avoid regulatory burdens like MSB registration under FinCEN.
2. Backup and Recovery: Keys are backed up securely off-site with integrity verification, and recovery modes are enabled for resilience. Authorities for stakes and withdrawals are segregated, with multi-approval requirements for significant actions on mainnet.
3. Ethical Practices: The Operator commits to no predatory MEV strategies, ensuring fair participation aligned with Solana's ethical standards.

5. Monitoring, Incident Response, and Auditing

The Operator shall maintain continuous oversight, similar to Blockdaemon's 24/7 monitoring and slashing coverage:

1. Monitoring Tools: Real-time metrics tracking (e.g., performance, uptime) is implemented with alerts for anomalies like excessive skips or resource issues.
2. Log Management: Logs are rotated and retained securely, with thresholds triggering notifications.
3. Incident Response: A documented plan ensures incidents are investigated promptly (within 1 hour), with escalation to experts and root cause analysis. Critical vulnerabilities are patched within 24 hours.
4. Auditing and Training: Quarterly internal reviews and annual third-party audits (e.g., penetration testing) are conducted. Personnel receive ongoing training on security threats, key handling, and compliance. Changes are version-controlled.

6. Compliance, Data Privacy, and Risk Mitigation

The Operator complies with applicable laws, leveraging Wyoming's crypto-friendly framework while considering international delegators:

1. Regulatory Compliance: Operations adhere to U.S. fintech standards, including KYC/AML for programs like SFDP, with no custody of third-party funds. Data privacy follows U.S. principles (e.g., CCPA) and international norms (e.g., GDPR for any minimal, anonymized data), ensuring no unnecessary personal data collection.
2. Risk Management: Self-stake is maintained for alignment, with insurance for cyber risks and commitments to high uptime. Policy violations result in immediate access revocation and potential legal action.
3. Disclaimer: This Policy is not legal advice and creates no contractual obligations beyond stated commitments. The Operator disclaims all liability for network events, protocol changes, or losses from Validator operations, including SFDP outcomes. Users should consult independent counsel. Governing law: State of Wyoming, U.S., with disputes resolved in Wyoming courts or through arbitration for international parties.

7. Enforcement and Binding Nature

This Policy is binding on all parties accessing the Validator and shall be enforced through access controls and contractual agreements with personnel. Violations may lead to disciplinary action, including termination and pursuit of remedies under Wyoming law.